Bug 71053 - Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests
Summary: Anonymous CORS fetch for WebGL texture fails when there is no appropriate ser...
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebGL (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Adam Barth
Depends on:
Reported: 2011-10-27 12:29 PDT by AlteredQualia
Modified: 2012-01-27 18:01 PST (History)
4 users (show)

See Also:

Patch (4.10 KB, patch)
2011-11-03 18:05 PDT, Adam Barth
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description AlteredQualia 2011-10-27 12:29:40 PDT
Asking for anonymous CORS fetch for WebGL texture from the server that doesn't know about CORS throws security exception even when the script and image share the same origin.

Not sure if this is a bug or feature, specs are somehow ambiguous:


(it is clear that security exception should be thrown when CORS request does not succeed when origins do differ, what is not clear is what should happen when origins are the same)

This behavior changed in recent Chrome Canary 17.0.919.0. Before, when you asked for anonymous CORS (by setting image.crossOrigin='') it didn't matter what server did if origins of the script and image were the same.

How to reproduce:

Go for example here:


This used to show textured model. Instead Chrome console now shows exception:

"Cross-origin image load denied by Cross-Origin Resource Sharing policy."

Additional info:

This issue is related to following Chromium and three.js issues:



Firefox 7.0.1 and nightly Firefox 10.0a1 (2011-10-27) do behave like Chrome used to (stable Chrome 15.0.874.106 still works like this): CORS fetch mode does not matter when image and script share the same origin.
Comment 1 Adam Barth 2011-10-27 12:32:56 PDT
I need to double-check the spec and Firefox's behavior.
Comment 2 Adam Barth 2011-11-03 18:05:13 PDT
Created attachment 113599 [details]
Comment 3 Darin Adler 2011-11-04 10:07:14 PDT
Comment on attachment 113599 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=113599&action=review

> Source/WebCore/loader/ImageLoader.cpp:246
> +    if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr)
> +        && !m_element->document()->securityOrigin()->canRequest(image()->response().url())
> +        && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) {

Maybe this can be factored into an inline member function so the if statement is easier to read. The name of that function could help document what is going on, too.
Comment 4 WebKit Review Bot 2011-11-04 11:09:52 PDT
Comment on attachment 113599 [details]

Clearing flags on attachment: 113599

Committed r99298: <http://trac.webkit.org/changeset/99298>
Comment 5 WebKit Review Bot 2011-11-04 11:09:57 PDT
All reviewed patches have been landed.  Closing bug.
Comment 6 Ian 'Hixie' Hickson 2012-01-27 14:22:47 PST
As far as I can tell, this disagrees with the specs. But maybe the spec should change...
Comment 7 Ian 'Hixie' Hickson 2012-01-27 18:01:15 PST
I've changed the spec. Not sure how closely it matches what WebKit is doing.