Asking for anonymous CORS fetch for WebGL texture from the server that doesn't know about CORS throws security exception even when the script and image share the same origin. Not sure if this is a bug or feature, specs are somehow ambiguous: http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#attr-crossorigin-anonymous (it is clear that security exception should be thrown when CORS request does not succeed when origins do differ, what is not clear is what should happen when origins are the same) This behavior changed in recent Chrome Canary 17.0.919.0. Before, when you asked for anonymous CORS (by setting image.crossOrigin='') it didn't matter what server did if origins of the script and image were the same. How to reproduce: Go for example here: http://mrdoob.github.com/three.js/examples/webgl_materials_normalmap2.html This used to show textured model. Instead Chrome console now shows exception: "Cross-origin image load denied by Cross-Origin Resource Sharing policy." Additional info: This issue is related to following Chromium and three.js issues: http://code.google.com/p/chromium/issues/detail?id=82042 https://github.com/mrdoob/three.js/issues/687 Firefox 7.0.1 and nightly Firefox 10.0a1 (2011-10-27) do behave like Chrome used to (stable Chrome 15.0.874.106 still works like this): CORS fetch mode does not matter when image and script share the same origin.
I need to double-check the spec and Firefox's behavior.
Created attachment 113599 [details] Patch
Comment on attachment 113599 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=113599&action=review > Source/WebCore/loader/ImageLoader.cpp:246 > + if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr) > + && !m_element->document()->securityOrigin()->canRequest(image()->response().url()) > + && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) { Maybe this can be factored into an inline member function so the if statement is easier to read. The name of that function could help document what is going on, too.
Comment on attachment 113599 [details] Patch Clearing flags on attachment: 113599 Committed r99298: <http://trac.webkit.org/changeset/99298>
All reviewed patches have been landed. Closing bug.
As far as I can tell, this disagrees with the specs. But maybe the spec should change...
I've changed the spec. Not sure how closely it matches what WebKit is doing.