Bug 71053

Summary: Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests
Product: WebKit Reporter: AlteredQualia <postfilter>
Component: WebGLAssignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ian, japhet, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

AlteredQualia
Reported 2011-10-27 12:29:40 PDT
Asking for anonymous CORS fetch for WebGL texture from the server that doesn't know about CORS throws security exception even when the script and image share the same origin. Not sure if this is a bug or feature, specs are somehow ambiguous: http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#attr-crossorigin-anonymous (it is clear that security exception should be thrown when CORS request does not succeed when origins do differ, what is not clear is what should happen when origins are the same) This behavior changed in recent Chrome Canary 17.0.919.0. Before, when you asked for anonymous CORS (by setting image.crossOrigin='') it didn't matter what server did if origins of the script and image were the same. How to reproduce: Go for example here: http://mrdoob.github.com/three.js/examples/webgl_materials_normalmap2.html This used to show textured model. Instead Chrome console now shows exception: "Cross-origin image load denied by Cross-Origin Resource Sharing policy." Additional info: This issue is related to following Chromium and three.js issues: http://code.google.com/p/chromium/issues/detail?id=82042 https://github.com/mrdoob/three.js/issues/687 Firefox 7.0.1 and nightly Firefox 10.0a1 (2011-10-27) do behave like Chrome used to (stable Chrome 15.0.874.106 still works like this): CORS fetch mode does not matter when image and script share the same origin.
Attachments
Patch (4.10 KB, patch)
2011-11-03 18:05 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2011-10-27 12:32:56 PDT
I need to double-check the spec and Firefox's behavior.
Adam Barth
Comment 2 2011-11-03 18:05:13 PDT
Created attachment 113599 [details] Patch
Darin Adler
Comment 3 2011-11-04 10:07:14 PDT
Comment on attachment 113599 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=113599&action=review > Source/WebCore/loader/ImageLoader.cpp:246 > + if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr) > + && !m_element->document()->securityOrigin()->canRequest(image()->response().url()) > + && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) { Maybe this can be factored into an inline member function so the if statement is easier to read. The name of that function could help document what is going on, too.
WebKit Review Bot
Comment 4 2011-11-04 11:09:52 PDT
Comment on attachment 113599 [details] Patch Clearing flags on attachment: 113599 Committed r99298: <http://trac.webkit.org/changeset/99298>
WebKit Review Bot
Comment 5 2011-11-04 11:09:57 PDT
All reviewed patches have been landed. Closing bug.
Ian 'Hixie' Hickson
Comment 6 2012-01-27 14:22:47 PST
As far as I can tell, this disagrees with the specs. But maybe the spec should change...
Ian 'Hixie' Hickson
Comment 7 2012-01-27 18:01:15 PST
I've changed the spec. Not sure how closely it matches what WebKit is doing.
Note You need to log in before you can comment on or make changes to this bug.