Report from developer:
1. Load a page that fetches images from a client on domainA to server that responds with Access-Control-Allow-Origin: *.
2. Load the same images from domainB, and attempt to embed them in a WebGL canvas on the page on domainB.
Expected: should be able to embed the images.
Actual: DOM security error 18 occurs.
The problem appears to be that domainA is encoded in the cache entry from step 1, despite the server specifying *. Then when loading the page on domainB, Chrome refuses to allow access to embed the image in the WebGL canvas.
(I haven't reproduced this yet, so I'm not entirely sure what's causing the issue.)
I'm having trouble reproducing the issue. I need to follow up with the original reporter. In the mean time, here is a LayoutTest capturing the reproduction steps.
Created attachment 107607 [details]
Comment on attachment 107607 [details]
Clearing flags on attachment: 107607
Committed r95351: <http://trac.webkit.org/changeset/95351>
All reviewed patches have been landed. Closing bug.
I'm going to leave this bug open while I check back with the developer who ran into the problem.
I think the original reporter was confused about how cache interacts with non-anonymous CORS requests, which is non-intuitive.