[Webkit-unassigned] [Bug 71053] New: Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 27 12:29:40 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=71053

           Summary: Anonymous CORS fetch for WebGL texture fails when
                    there is no appropriate server response even for the
                    same origin requests
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebGL
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: postfilter at gmail.com
                CC: abarth at webkit.org


Asking for anonymous CORS fetch for WebGL texture from the server that doesn't know about CORS throws security exception even when the script and image share the same origin.

Not sure if this is a bug or feature, specs are somehow ambiguous:

http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#attr-crossorigin-anonymous

(it is clear that security exception should be thrown when CORS request does not succeed when origins do differ, what is not clear is what should happen when origins are the same)

This behavior changed in recent Chrome Canary 17.0.919.0. Before, when you asked for anonymous CORS (by setting image.crossOrigin='') it didn't matter what server did if origins of the script and image were the same.

How to reproduce:

Go for example here:

http://mrdoob.github.com/three.js/examples/webgl_materials_normalmap2.html

This used to show textured model. Instead Chrome console now shows exception:

"Cross-origin image load denied by Cross-Origin Resource Sharing policy."

Additional info:

This issue is related to following Chromium and three.js issues:

http://code.google.com/p/chromium/issues/detail?id=82042

https://github.com/mrdoob/three.js/issues/687

Firefox 7.0.1 and nightly Firefox 10.0a1 (2011-10-27) do behave like Chrome used to (stable Chrome 15.0.874.106 still works like this): CORS fetch mode does not matter when image and script share the same origin.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list