[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Public WebGL] CORS and resource provider awareness

I'm recently hitting a problem a lot that shouldn't exist. This is
about using cross origin images/videos in WebGL. And I'd like
everybody to be aware that 1) there are nasty restrictions that
"evolved" and that 2) most resource providers are oblivious to the
issue and if perhaps we can rise awareness it would help.

A short and probably inaccurate history of cross origin history:
1) canvas and webgl came along, everything was fine, we could get images.
2) Somebody decided that presented a security issue and vendors
implemented canvas/webgl/image tainting, things where fine, most
legitimate uses wouldn't try to send the image data around.
3) CORS came along and everybody rejoiced, finally a way to share
those resources and mark the ones that are not security sensitive
4) Vendors seeing CORS decide that it's now legitimate to drop the old
tainting model and just flatly prohibit cross origin access to
resources if the CORS headers are not set.

What's broken? Most providers after step #4 of resources are oblivious
that suddenly resources they intended to be embeddable/sharable are
now no longer fully accessible to canvas, and not accessible at all to

How to solve it (not): get rid of CORS and cross origin restrictions.
No really, I would prefer this, but it's not gonna happen.
How to solve it (really now): Providers of resources *have* to be
aware that they have to set cross origin headers now and implement
CORS. There's no way around it. Please, please do it. It sucks if you

Recent example: google static maps
Other examples: everything everywhere

Please set CORS headers, your're killing baby seals.


You are currently subscribed to public_webgl@khronos.org.
To unsubscribe, send an email to majordomo@khronos.org with
the following command in the body of your email:
unsubscribe public_webgl