Bug 71053

Summary: Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests
Product: WebKit Reporter: AlteredQualia <postfilter>
Component: WebGLAssignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ian, japhet, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description AlteredQualia 2011-10-27 12:29:40 PDT 
Asking for anonymous CORS fetch for WebGL texture from the server that doesn't know about CORS throws security exception even when the script and image share the same origin.

Not sure if this is a bug or feature, specs are somehow ambiguous:

http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#attr-crossorigin-anonymous

(it is clear that security exception should be thrown when CORS request does not succeed when origins do differ, what is not clear is what should happen when origins are the same)

This behavior changed in recent Chrome Canary 17.0.919.0. Before, when you asked for anonymous CORS (by setting image.crossOrigin='') it didn't matter what server did if origins of the script and image were the same.

How to reproduce:

Go for example here:

http://mrdoob.github.com/three.js/examples/webgl_materials_normalmap2.html

This used to show textured model. Instead Chrome console now shows exception:

"Cross-origin image load denied by Cross-Origin Resource Sharing policy."

Additional info:

This issue is related to following Chromium and three.js issues:

http://code.google.com/p/chromium/issues/detail?id=82042

https://github.com/mrdoob/three.js/issues/687

Firefox 7.0.1 and nightly Firefox 10.0a1 (2011-10-27) do behave like Chrome used to (stable Chrome 15.0.874.106 still works like this): CORS fetch mode does not matter when image and script share the same origin.
Comment 1 Adam Barth 2011-10-27 12:32:56 PDT 
I need to double-check the spec and Firefox's behavior.
Comment 2 Adam Barth 2011-11-03 18:05:13 PDT 
Created attachment 113599 [details]
Patch
Comment 3 Darin Adler 2011-11-04 10:07:14 PDT 
Comment on attachment 113599 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=113599&action=review

> Source/WebCore/loader/ImageLoader.cpp:246
> +    if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr)
> +        && !m_element->document()->securityOrigin()->canRequest(image()->response().url())
> +        && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) {

Maybe this can be factored into an inline member function so the if statement is easier to read. The name of that function could help document what is going on, too.
Comment 4 WebKit Review Bot 2011-11-04 11:09:52 PDT 
Comment on attachment 113599 [details]
Patch

Clearing flags on attachment: 113599

Committed r99298: <http://trac.webkit.org/changeset/99298>
Comment 5 WebKit Review Bot 2011-11-04 11:09:57 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 6 Ian 'Hixie' Hickson 2012-01-27 14:22:47 PST 
As far as I can tell, this disagrees with the specs. But maybe the spec should change...
Comment 7 Ian 'Hixie' Hickson 2012-01-27 18:01:15 PST 
I've changed the spec. Not sure how closely it matches what WebKit is doing.