12744 – The crossdomain attribute named as such may prove an attractive talisman for copy-paste/cargocult authors, such that they start applying it on _any_ out of domain img regardless of CORS, especially when they see the no attribute string form <img crossdoma

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 12744 - The crossdomain attribute named as such may prove an attractive talisman for copy-paste/cargocult authors, such that they start applying it on _any_ out of domain img regardless of CORS, especially when they see the no attribute string form <img crossdoma

Summary: The crossdomain attribute named as such may prove an attractive talisman for ...

Status:	RESOLVED NEEDSINFO

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	LC1 HTML5 spec (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	---
Assignee:	Ian 'Hixie' Hickson
QA Contact:	HTML WG Bugzilla archive list

URL:	http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-05-25 00:10 UTC by contributor
Modified:	2011-08-31 23:50 UTC (History)
CC List:	7 users (show)

See Also:

Attachments

Description contributor 2011-05-25 00:10:40 UTC

Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content-1.html
Section: http://www.whatwg.org/specs/web-apps/current-work/#attr-img-crossorigin

Comment:
The crossdomain attribute named as such may prove an attractive talisman for
copy-paste/cargocult authors, such that they start applying it on _any_ out of
domain img regardless of CORS, especially when they see the no attribute
string form <img crossdomain src="..." /> which doesn't give the author any
semantic clue as to its real purpose.  Adding this attribute might not cause
visible breakage (if whoever is serving the image supports CORS), but it does
change the security attack surface of the application and should not be done
without reason.  Perhaps change the name of the attribute to something that
would not tempt authors to use it outside of CORS scenerios.  (Submitted by
Christian Iivari)

Posted from: 173.72.153.184
User agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Comment 1 Simon Pieters 2011-05-26 10:39:31 UTC

The use cases are for painting on 2d canvas and reading back the result or painting on webgl canvas. Is there a need for a declarative attribute, or should this feature only be available to scripts?

Comment 2 Michael[tm] Smith 2011-08-04 05:34:02 UTC

mass-move component to LC1

Comment 3 Anne 2011-08-16 08:42:33 UTC

Could create XMLHttpRequest.responseType = "image". (Just a thought.)

Comment 4 Ian 'Hixie' Hickson 2011-08-31 23:50:42 UTC

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Did Not Understand Request
Change Description: no spec change
Rationale: What's the attack scenario here? I would have set it implicitly on all <img> elements if it wasn't for compatibility concerns, so I don't understand why it would be bad for people to set it. In fact if anything, <img crossdomain src="..."> is safer than <img src="..."> since it removes cookies from the request.