Bug 68011 - CORS images viewed from different domains fail security checks
Summary: CORS images viewed from different domains fail security checks
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Adam Barth
Depends on:
Reported: 2011-09-13 11:02 PDT by Adam Barth
Modified: 2011-10-13 02:14 PDT (History)
3 users (show)

See Also:

Patch (3.59 KB, patch)
2011-09-15 22:58 PDT, Adam Barth
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Barth 2011-09-13 11:02:47 PDT
Report from developer:

1. Load a page that fetches images from a client on domainA to server that responds with Access-Control-Allow-Origin: *.
2. Load the same images from domainB, and attempt to embed them in a WebGL canvas on the page on domainB.

Expected: should be able to embed the images.
Actual: DOM security error 18 occurs.

The problem appears to be that domainA is encoded in the cache entry from step 1, despite the server specifying *.  Then when loading the page on domainB, Chrome refuses to allow access to embed the image in the WebGL canvas.
Comment 1 Adam Barth 2011-09-13 15:42:54 PDT
(I haven't reproduced this yet, so I'm not entirely sure what's causing the issue.)
Comment 2 Adam Barth 2011-09-15 22:57:17 PDT
I'm having trouble reproducing the issue.  I need to follow up with the original reporter.  In the mean time, here is a LayoutTest capturing the reproduction steps.
Comment 3 Adam Barth 2011-09-15 22:58:20 PDT
Created attachment 107607 [details]
Comment 4 WebKit Review Bot 2011-09-16 18:46:44 PDT
Comment on attachment 107607 [details]

Clearing flags on attachment: 107607

Committed r95351: <http://trac.webkit.org/changeset/95351>
Comment 5 WebKit Review Bot 2011-09-16 18:46:48 PDT
All reviewed patches have been landed.  Closing bug.
Comment 6 Adam Barth 2011-09-16 22:07:20 PDT
I'm going to leave this bug open while I check back with the developer who ran into the problem.
Comment 7 Adam Barth 2011-10-13 02:14:26 PDT
I think the original reporter was confused about how cache interacts with non-anonymous CORS requests, which is non-intuitive.