HTML-ISSUE-167 (remove-crossorigin): Remove the crossorigin attribute and CORS normative dependency from HTML Weekly Issue Tracker on 2011-06-24 (public-html-wg-issue-tracking@w3.org from June 2011)

From: HTML Weekly Issue Tracker <sysbot+tracker@w3.org>
Date: Fri, 24 Jun 2011 12:29:33 +0000
To: public-html-wg-issue-tracking@w3.org
Message-Id: <E1Qa5Vt-0000cS-Pw@stu.w3.org>

HTML-ISSUE-167 (remove-crossorigin): Remove the crossorigin attribute and CORS normative dependency

http://www.w3.org/html/wg/tracker/issues/167

Raised by: Sam Ruby
On product: 

This issue was raised on behalf of Shelley Powers:

This change does not "fix" the problem related to WebGL--in actuality, the
security vulnerability still exists. What this problem does is more or less
just shove the responsibility for the problems off the software implementation
and on to the application developers. 

This solution makes several assumptions, not the least of which that it
provides a safe way to fulfill the original use cases given within the WebGL
for supporting cross-domain resource access for texture use. Originally, WebGL
restricted cross-domain resource access for textures, most likely because of
security concerns. 

However, after exploring the original use cases given for adding cross-domain
resource access(such as using an ad from an ad service to embed an image into a
3D world, or using images served up at Flickr or AWS), there is no guarantee
that this solution will fix the problem. Why? Because those serving the remote
resources must also agree to the use of CORS, and I know for a fact that at
least one of the services has already expressed reluctance to do so (AWS). 

Point of fact, I'm not sure any service is going to be willing to incorporate a
functionality that is meant to bypass security protocols, for a technology
group delivering a product that at least two security organizations have
recommended against. 

In addition, the addition of crossorigin also created a normative dependency in
HTML for the CORS specification, which is, itself, a draft specification not
currently robust enough for Last Call status. Though CORS was listed as a
reference in the LC HTML5 document, I don't believe there was a normative
dependency in the HTML5 specification for CORs previous to this.

See the associated bug for additional details:

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888

Received on Friday, 24 June 2011 12:29:35 UTC