71053 2011-10-27 12:29:40 -0700 Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests 2012-01-27 18:01:15 -0800 1 1 1 Unclassified WebKit WebGL 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 0 postfilter abarth abarth ian japhet webkit.review.bot oldest_to_newest 491823 0 postfilter 2011-10-27 12:29:40 -0700 Asking for anonymous CORS fetch for WebGL texture from the server that doesn't know about CORS throws security exception even when the script and image share the same origin. Not sure if this is a bug or feature, specs are somehow ambiguous: http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#attr-crossorigin-anonymous (it is clear that security exception should be thrown when CORS request does not succeed when origins do differ, what is not clear is what should happen when origins are the same) This behavior changed in recent Chrome Canary 17.0.919.0. Before, when you asked for anonymous CORS (by setting image.crossOrigin='') it didn't matter what server did if origins of the script and image were the same. How to reproduce: Go for example here: http://mrdoob.github.com/three.js/examples/webgl_materials_normalmap2.html This used to show textured model. Instead Chrome console now shows exception: "Cross-origin image load denied by Cross-Origin Resource Sharing policy." Additional info: This issue is related to following Chromium and three.js issues: http://code.google.com/p/chromium/issues/detail?id=82042 https://github.com/mrdoob/three.js/issues/687 Firefox 7.0.1 and nightly Firefox 10.0a1 (2011-10-27) do behave like Chrome used to (stable Chrome 15.0.874.106 still works like this): CORS fetch mode does not matter when image and script share the same origin. 491827 1 abarth 2011-10-27 12:32:56 -0700 I need to double-check the spec and Firefox's behavior. 495957 2 113599 abarth 2011-11-03 18:05:13 -0700 Created attachment 113599 Patch 496256 3 113599 darin 2011-11-04 10:07:14 -0700 Comment on attachment 113599 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=113599&action=review > Source/WebCore/loader/ImageLoader.cpp:246 > + if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr) > + && !m_element->document()->securityOrigin()->canRequest(image()->response().url()) > + && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) { Maybe this can be factored into an inline member function so the if statement is easier to read. The name of that function could help document what is going on, too. 496321 4 113599 webkit.review.bot 2011-11-04 11:09:52 -0700 Comment on attachment 113599 Patch Clearing flags on attachment: 113599 Committed r99298: <http://trac.webkit.org/changeset/99298> 496322 5 webkit.review.bot 2011-11-04 11:09:57 -0700 All reviewed patches have been landed. Closing bug. 544362 6 ian 2012-01-27 14:22:47 -0800 As far as I can tell, this disagrees with the specs. But maybe the spec should change... 544557 7 ian 2012-01-27 18:01:15 -0800 I've changed the spec. Not sure how closely it matches what WebKit is doing. 113599 2011-11-03 18:05:13 -0700 2011-11-04 11:09:52 -0700 Patch bug-71053-20111103180512.patch text/plain 4198 abarth SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDk5MjU0KQorKysgU291cmNlL1dlYkNvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMjAgQEAKKzIwMTEtMTEtMDMgIEFkYW0gQmFy dGggIDxhYmFydGhAd2Via2l0Lm9yZz4KKworICAgICAgICBBbm9ueW1vdXMgQ09SUyBmZXRjaCBm b3IgV2ViR0wgdGV4dHVyZSBmYWlscyB3aGVuIHRoZXJlIGlzIG5vIGFwcHJvcHJpYXRlIHNlcnZl ciByZXNwb25zZSBldmVuIGZvciB0aGUgc2FtZSBvcmlnaW4gcmVxdWVzdHMKKyAgICAgICAgaHR0 cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTcxMDUzCisKKyAgICAgICAgUmV2 aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGhlIGNyb3Nzb3JpZ2luIGF0dHJp YnV0ZSBzaG91bGQgYmVoYXZlIGxpa2UgWE1MSHR0cFJlcXVlc3Q6CisgICAgICAgIHNhbWUtb3Jp Z2luIGltYWdlcyBwYXNzIHdpdGhvdXQgYW5kIENPUlMgaGVhZGVycywgYnV0IENPUlMgY2hlY2tz IGFyZQorICAgICAgICBwZXJmb3JtZWQgZm9yIGNyb3NzLW9yaWdpbiBsb2Fkcy4gIFRoaXMgcGF0 Y2ggYmV0dGVyIGFsaWducyBvdXIKKyAgICAgICAgYmVoYXZpb3Igd2l0aCBGaXJlZm94LCBhcyBk aXNjdXNzZWQgaW4gdGhlIGJ1Zy4KKworICAgICAgICBUZXN0OiBodHRwL3Rlc3RzL3NlY3VyaXR5 L2ltZy1jcm9zc29yaWdpbi1sb2Fkcy1zYW1lLW9yaWdpbi5odG1sCisKKyAgICAgICAgKiBsb2Fk ZXIvSW1hZ2VMb2FkZXIuY3BwOgorICAgICAgICAoV2ViQ29yZTo6SW1hZ2VMb2FkZXI6Om5vdGlm eUZpbmlzaGVkKToKKwogMjAxMS0xMS0wMyAgTGV2aSBXZWludHJhdWIgIDxsZXZpd0BjaHJvbWl1 bS5vcmc+CiAKICAgICAgICAgQ29ycmVjdCB1c2FnZSBvZiBMYXlvdXRVbml0cyBhbmQgaW50ZWdl cnMgaW4gVGFibGUgcmVuZGVyaW5nIGNsYXNzZXMKSW5kZXg6IFNvdXJjZS9XZWJDb3JlL2xvYWRl ci9JbWFnZUxvYWRlci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYkNvcmUvbG9hZGVyL0lt YWdlTG9hZGVyLmNwcAkocmV2aXNpb24gOTkyMjgpCisrKyBTb3VyY2UvV2ViQ29yZS9sb2FkZXIv SW1hZ2VMb2FkZXIuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0zMyw2ICszMyw3IEBACiAjaW5jbHVk ZSAiSFRNTFBhcnNlcklkaW9tcy5oIgogI2luY2x1ZGUgIlJlbmRlckltYWdlLmgiCiAjaW5jbHVk ZSAiU2NyaXB0Q2FsbFN0YWNrLmgiCisjaW5jbHVkZSAiU2VjdXJpdHlPcmlnaW4uaCIKIAogI2lm IEVOQUJMRShTVkcpCiAjaW5jbHVkZSAiUmVuZGVyU1ZHSW1hZ2UuaCIKQEAgLTI0MCw3ICsyNDEs MTAgQEAgdm9pZCBJbWFnZUxvYWRlcjo6bm90aWZ5RmluaXNoZWQoQ2FjaGVkUgogICAgIGlmICht X2ZpcmVkTG9hZCkKICAgICAgICAgcmV0dXJuOwogCi0gICAgaWYgKG1fZWxlbWVudC0+ZmFzdEhh c0F0dHJpYnV0ZShIVE1MTmFtZXM6OmNyb3Nzb3JpZ2luQXR0cikgJiYgIXJlc291cmNlLT5wYXNz ZXNBY2Nlc3NDb250cm9sQ2hlY2sobV9lbGVtZW50LT5kb2N1bWVudCgpLT5zZWN1cml0eU9yaWdp bigpKSkgeworICAgIGlmIChtX2VsZW1lbnQtPmZhc3RIYXNBdHRyaWJ1dGUoSFRNTE5hbWVzOjpj cm9zc29yaWdpbkF0dHIpCisgICAgICAgICYmICFtX2VsZW1lbnQtPmRvY3VtZW50KCktPnNlY3Vy aXR5T3JpZ2luKCktPmNhblJlcXVlc3QoaW1hZ2UoKS0+cmVzcG9uc2UoKS51cmwoKSkKKyAgICAg ICAgJiYgIXJlc291cmNlLT5wYXNzZXNBY2Nlc3NDb250cm9sQ2hlY2sobV9lbGVtZW50LT5kb2N1 bWVudCgpLT5zZWN1cml0eU9yaWdpbigpKSkgeworCiAgICAgICAgIHNldEltYWdlKDApOwogCiAg ICAgICAgIERFRklORV9TVEFUSUNfTE9DQUwoU3RyaW5nLCBjb25zb2xlTWVzc2FnZSwgKCJDcm9z cy1vcmlnaW4gaW1hZ2UgbG9hZCBkZW5pZWQgYnkgQ3Jvc3MtT3JpZ2luIFJlc291cmNlIFNoYXJp bmcgcG9saWN5LiIpKTsKSW5kZXg6IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHJldmlzaW9uIDk5MjU0KQorKysgTGF5b3V0VGVzdHMv Q2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTYgQEAKKzIwMTEtMTEtMDMgIEFk YW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9yZz4KKworICAgICAgICBBbm9ueW1vdXMgQ09SUyBm ZXRjaCBmb3IgV2ViR0wgdGV4dHVyZSBmYWlscyB3aGVuIHRoZXJlIGlzIG5vIGFwcHJvcHJpYXRl IHNlcnZlciByZXNwb25zZSBldmVuIGZvciB0aGUgc2FtZSBvcmlnaW4gcmVxdWVzdHMKKyAgICAg ICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTcxMDUzCisKKyAgICAg ICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGVzdCB0aGF0IHdlIHN1 Y2NlZWQgaW4gbG9hZGluZyBhIHNhbWUtb3JpZ2luIGltYWdlIHdpdGhvdXQgdGhlIGhlbHAgb2YK KyAgICAgICAgQ09SUyBldmVuIGlmIHRoZSBpbWFnZSBoYXMgdGhlIGNyb3Nzb3JpZ2luIGF0dHJp YnV0ZS4KKworICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvaW1nLWNyb3Nzb3JpZ2luLWxv YWRzLXNhbWUtb3JpZ2luLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogaHR0cC90ZXN0 cy9zZWN1cml0eS9pbWctY3Jvc3NvcmlnaW4tbG9hZHMtc2FtZS1vcmlnaW4uaHRtbDogQWRkZWQu CisKIDIwMTEtMTEtMDMgIFRvbnkgQ2hhbmcgIDx0b255QGNocm9taXVtLm9yZz4KIAogICAgICAg ICBSZW1vdmUgYW4gb2Jzb2xldGUgY29tbWVudC4KSW5kZXg6IExheW91dFRlc3RzL2h0dHAvdGVz dHMvc2VjdXJpdHkvaW1nLWNyb3Nzb3JpZ2luLWxvYWRzLXNhbWUtb3JpZ2luLWV4cGVjdGVkLnR4 dAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2ltZy1jcm9z c29yaWdpbi1sb2Fkcy1zYW1lLW9yaWdpbi1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCisrKyBM YXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2ltZy1jcm9zc29yaWdpbi1sb2Fkcy1zYW1l LW9yaWdpbi1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMyBAQAorQUxFUlQ6 IFBBU1MKK1RoaXMgaW1hZ2Ugc2hvdWxkIGxvYWQ6CisKSW5kZXg6IExheW91dFRlc3RzL2h0dHAv dGVzdHMvc2VjdXJpdHkvaW1nLWNyb3Nzb3JpZ2luLWxvYWRzLXNhbWUtb3JpZ2luLmh0bWwKPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PQotLS0gTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9pbWctY3Jvc3Nvcmln aW4tbG9hZHMtc2FtZS1vcmlnaW4uaHRtbAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2h0 dHAvdGVzdHMvc2VjdXJpdHkvaW1nLWNyb3Nzb3JpZ2luLWxvYWRzLXNhbWUtb3JpZ2luLmh0bWwJ KHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMTUgQEAKKzxzY3JpcHQ+CitpZiAod2luZG93LmxheW91 dFRlc3RDb250cm9sbGVyKSB7CisgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIuZHVtcEFzVGV4dCgp OworICAgIGxheW91dFRlc3RDb250cm9sbGVyLndhaXRVbnRpbERvbmUoKTsKK30KKworZnVuY3Rp b24gbG9hZGVkKCkgeworICAgIHZhciBpbWFnZSA9IGRvY3VtZW50LmJvZHkuZ2V0RWxlbWVudHNC eVRhZ05hbWUoJ2ltZycpWzBdOworICAgIGFsZXJ0KGltYWdlLndpZHRoID4gMCA/ICdQQVNTJyA6 ICdGQUlMJyk7CisgICAgaWYgKHdpbmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikKKyAgICAgICAg bGF5b3V0VGVzdENvbnRyb2xsZXIubm90aWZ5RG9uZSgpOworfQorPC9zY3JpcHQ+CitUaGlzIGlt YWdlIHNob3VsZCBsb2FkOjxicj4KKzxpbWcgY3Jvc3NvcmlnaW49ImFub255bW91cyIgc3JjPSJy ZXNvdXJjZXMvYWJlLnBuZyIgb25sb2FkPSJsb2FkZWQoKSI+Cg==