RESOLVED FIXED 68011
CORS images viewed from different domains fail security checks 
https://bugs.webkit.org/show_bug.cgi?id=68011
Summary CORS images viewed from different domains fail security checks
Adam Barth
Reported 2011-09-13 11:02:47 PDT
Report from developer: === 1. Load a page that fetches images from a client on domainA to server that responds with Access-Control-Allow-Origin: *. 2. Load the same images from domainB, and attempt to embed them in a WebGL canvas on the page on domainB. Expected: should be able to embed the images. Actual: DOM security error 18 occurs. The problem appears to be that domainA is encoded in the cache entry from step 1, despite the server specifying *. Then when loading the page on domainB, Chrome refuses to allow access to embed the image in the WebGL canvas. ===
Attachments
Patch (3.59 KB, patch)
2011-09-15 22:58 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2011-09-13 15:42:54 PDT
(I haven't reproduced this yet, so I'm not entirely sure what's causing the issue.)
Adam Barth
Comment 2 2011-09-15 22:57:17 PDT
I'm having trouble reproducing the issue. I need to follow up with the original reporter. In the mean time, here is a LayoutTest capturing the reproduction steps.
Adam Barth
Comment 3 2011-09-15 22:58:20 PDT
Created attachment 107607 [details] Patch
WebKit Review Bot
Comment 4 2011-09-16 18:46:44 PDT
Comment on attachment 107607 [details] Patch Clearing flags on attachment: 107607 Committed r95351: <http://trac.webkit.org/changeset/95351>
WebKit Review Bot
Comment 5 2011-09-16 18:46:48 PDT
All reviewed patches have been landed. Closing bug.
Adam Barth
Comment 6 2011-09-16 22:07:20 PDT
I'm going to leave this bug open while I check back with the developer who ran into the problem.
Adam Barth
Comment 7 2011-10-13 02:14:26 PDT
I think the original reporter was confused about how cache interacts with non-anonymous CORS requests, which is non-intuitive.
Note You need to log in before you can comment on or make changes to this bug.