ISSUE-167: Remove the crossorigin attribute and CORS normative dependency

remove-crossorigin

Remove the crossorigin attribute and CORS normative dependency

State:
CLOSED
Product:
Raised by:
Sam Ruby
Opened on:
2011-06-24
Description:
This issue was raised on behalf of Shelley Powers:

This change does not "fix" the problem related to WebGL--in actuality, the
security vulnerability still exists. What this problem does is more or less
just shove the responsibility for the problems off the software implementation
and on to the application developers.

This solution makes several assumptions, not the least of which that it
provides a safe way to fulfill the original use cases given within the WebGL
for supporting cross-domain resource access for texture use. Originally, WebGL
restricted cross-domain resource access for textures, most likely because of
security concerns.

However, after exploring the original use cases given for adding cross-domain
resource access(such as using an ad from an ad service to embed an image into a
3D world, or using images served up at Flickr or AWS), there is no guarantee
that this solution will fix the problem. Why? Because those serving the remote
resources must also agree to the use of CORS, and I know for a fact that at
least one of the services has already expressed reluctance to do so (AWS).

Point of fact, I'm not sure any service is going to be willing to incorporate a
functionality that is meant to bypass security protocols, for a technology
group delivering a product that at least two security organizations have
recommended against.

In addition, the addition of crossorigin also created a normative dependency in
HTML for the CORS specification, which is, itself, a draft specification not
currently robust enough for Last Call status. Though CORS was listed as a
reference in the LC HTML5 document, I don't believe there was a normative
dependency in the HTML5 specification for CORs previous to this.

See the associated bug for additional details:

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888
Related Actions Items:
No related actions
Related emails:
  1. {agenda} HTML WG telecon 2011-08-04: Issues, Task Force Reports, Overdue P1, Last Call components (from rubys@intertwingly.net on 2011-08-03)
  2. Re: ISSUE-167 remove-crossorigin: Chairs Solicit Proposals (from rubys@intertwingly.net on 2011-08-03)
  3. RE: {Minutes} HTML WG telecon 2011-07-28: Issues, Last Call period (from adrianba@microsoft.com on 2011-07-28)
  4. Re: {Agenda} HTML WG telecon 2011-07-28: Issues, Last Call period (from janina@rednote.net on 2011-07-27)
  5. RE: {Agenda} HTML WG telecon 2011-07-28: Issues, Last Call period (from Eliot.Graff@microsoft.com on 2011-07-27)
  6. {Agenda} HTML WG telecon 2011-07-28: Issues, Last Call period (from Paul.Cotton@microsoft.com on 2011-07-27)
  7. RE: ISSUE-167 remove-crossorigin: Chairs Solicit Proposals (from Paul.Cotton@microsoft.com on 2011-07-24)
  8. {minutes} HTML WG telecon 2011-07-21: Task Force reports, Last Call change control, Decision Policy (from eoconnor@apple.com on 2011-07-21)
  9. {agenda} HTML WG telecon 2011-07-21: Task Force reports, Last Call change control, Decision Policy (from mjs@apple.com on 2011-07-20)
  10. Re: {agenda} HTML WG telecon 2011-06-30 WG Issues, Calls, TAG Issue (RDFa/Microdata), author-view (from rubys@intertwingly.net on 2011-06-30)
  11. {agenda} HTML WG telecon 2011-06-30 WG Issues, Calls, TAG Issue (RDFa/Microdata), author-view (from rubys@intertwingly.net on 2011-06-28)
  12. ISSUE-167 remove-crossorigin: Chairs Solicit Proposals (from rubys@intertwingly.net on 2011-06-28)
  13. HTML-ISSUE-167 (remove-crossorigin): Remove the crossorigin attribute and CORS normative dependency (from sysbot+tracker@w3.org on 2011-06-24)

Related notes:

Closed without prejudice:

http://lists.w3.org/Archives/Public/public-html/2011Aug/0133.html

Sam Ruby, 3 Aug 2011, 14:23:16

Changelog:

Created issue 'Remove the crossorigin attribute and CORS normative dependency' nickname remove-crossorigin owned by Sam Ruby on product , description 'This issue was raised on behalf of Shelley Powers:

This change does not "fix" the problem related to WebGL--in actuality, the
security vulnerability still exists. What this problem does is more or less
just shove the responsibility for the problems off the software implementation
and on to the application developers.

This solution makes several assumptions, not the least of which that it
provides a safe way to fulfill the original use cases given within the WebGL
for supporting cross-domain resource access for texture use. Originally, WebGL
restricted cross-domain resource access for textures, most likely because of
security concerns.

However, after exploring the original use cases given for adding cross-domain
resource access(such as using an ad from an ad service to embed an image into a
3D world, or using images served up at Flickr or AWS), there is no guarantee
that this solution will fix the problem. Why? Because those serving the remote
resources must also agree to the use of CORS, and I know for a fact that at
least one of the services has already expressed reluctance to do so (AWS).

Point of fact, I'm not sure any service is going to be willing to incorporate a
functionality that is meant to bypass security protocols, for a technology
group delivering a product that at least two security organizations have
recommended against.

In addition, the addition of crossorigin also created a normative dependency in
HTML for the CORS specification, which is, itself, a draft specification not
currently robust enough for Last Call status. Though CORS was listed as a
reference in the LC HTML5 document, I don't believe there was a normative
dependency in the HTML5 specification for CORs previous to this.

See the associated bug for additional details:

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888' non-public

Sam Ruby, 24 Jun 2011, 12:29:33

Issue dissociated from any product

Sam Ruby, 3 Aug 2011, 14:23:16

Status changed to 'closed'

Sam Ruby, 3 Aug 2011, 14:23:16


Paul Cotton <Paul.Cotton@microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Sam Ruby <rubys@intertwingly.net>, Chairs, Michael[tm] Smith <mike@w3.org>, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: index.php,v 1.323 2013-12-19 14:47:09 dom Exp $