Bug 71053

Summary: Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests
Product: WebKit Reporter: AlteredQualia <postfilter>
Component: WebGLAssignee: Adam Barth <abarth>
Severity: Normal CC: abarth, ian, japhet, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Description Flags
Patch none

Description AlteredQualia 2011-10-27 12:29:40 PDT
Asking for anonymous CORS fetch for WebGL texture from the server that doesn't know about CORS throws security exception even when the script and image share the same origin.

Not sure if this is a bug or feature, specs are somehow ambiguous:


(it is clear that security exception should be thrown when CORS request does not succeed when origins do differ, what is not clear is what should happen when origins are the same)

This behavior changed in recent Chrome Canary 17.0.919.0. Before, when you asked for anonymous CORS (by setting image.crossOrigin='') it didn't matter what server did if origins of the script and image were the same.

How to reproduce:

Go for example here:


This used to show textured model. Instead Chrome console now shows exception:

"Cross-origin image load denied by Cross-Origin Resource Sharing policy."

Additional info:

This issue is related to following Chromium and three.js issues:



Firefox 7.0.1 and nightly Firefox 10.0a1 (2011-10-27) do behave like Chrome used to (stable Chrome 15.0.874.106 still works like this): CORS fetch mode does not matter when image and script share the same origin.
Comment 1 Adam Barth 2011-10-27 12:32:56 PDT
I need to double-check the spec and Firefox's behavior.
Comment 2 Adam Barth 2011-11-03 18:05:13 PDT
Created attachment 113599 [details]
Comment 3 Darin Adler 2011-11-04 10:07:14 PDT
Comment on attachment 113599 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=113599&action=review

> Source/WebCore/loader/ImageLoader.cpp:246
> +    if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr)
> +        && !m_element->document()->securityOrigin()->canRequest(image()->response().url())
> +        && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) {

Maybe this can be factored into an inline member function so the if statement is easier to read. The name of that function could help document what is going on, too.
Comment 4 WebKit Review Bot 2011-11-04 11:09:52 PDT
Comment on attachment 113599 [details]

Clearing flags on attachment: 113599

Committed r99298: <http://trac.webkit.org/changeset/99298>
Comment 5 WebKit Review Bot 2011-11-04 11:09:57 PDT
All reviewed patches have been landed.  Closing bug.
Comment 6 Ian 'Hixie' Hickson 2012-01-27 14:22:47 PST
As far as I can tell, this disagrees with the specs. But maybe the spec should change...
Comment 7 Ian 'Hixie' Hickson 2012-01-27 18:01:15 PST
I've changed the spec. Not sure how closely it matches what WebKit is doing.