[Webkit-unassigned] [Bug 63090] img.crossOrigin not respected on cached images

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 21 14:36:02 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=63090





--- Comment #14 from Kenneth Russell <kbr at google.com>  2012-12-21 14:38:14 PST ---
(In reply to comment #13)
> Kenneth, your curl request is for HEAD and not GET. Try:
> 
> curl --head -X GET -H "Origin: http://fiddle.jshell.net" http://s3-us-west-1.amazonaws.com/jsfiddle/imgres-1.jpeg
> 
> You will receive:
> 
> HTTP/1.1 200 OK
> x-amz-id-2: GmcjGP0tZOHdbuZPOxkk+NzYTR9/oRT1G2O2Y7GhV7uctzhLz5E3ppw+dg/mbdh0
> x-amz-request-id: FC7C2B7427CA3014
> Date: Fri, 21 Dec 2012 21:50:21 GMT
> Access-Control-Allow-Origin: http://fiddle.jshell.net
> Access-Control-Allow-Methods: PUT, GET
> Access-Control-Max-Age: 300
> Access-Control-Allow-Credentials: true
> Last-Modified: Fri, 21 Dec 2012 15:28:53 GMT
> ETag: "a1c3d2e8bb3fc2d09a7d2b299c82b8ad"
> Accept-Ranges: bytes
> Content-Type: image/jpeg
> Content-Length: 6497
> Server: AmazonS3
> 
> Which is a correct set of headers- furthermore the jsfiddle was corrected and showed the issue appropriately.
> 
> It would he helpful to re-open this so we can track it! Thanks.

Matthew, thanks for the correction. However, the response headers for this request are still broken.

curl --head -X GET -H "Origin: http://fiddle.jshell.net" http://s3-us-west-1.amazonaws.com/jsfiddle/imgres-1.jpeg
curl --head -X GET -H "Origin: http://google.com" http://s3-us-west-1.amazonaws.com/jsfiddle/imgres-1.jpeg

The latter request does not return the Access-Control-Allow-Origin response header, which means that the response varies based on the request's Origin header, and must always include the "Vary: Origin" header for correctness. This is described clearly in Comment #4 above. If you include this header (for all requests for this resource, not just CORS requests) I think your examples will start working, but that's because caching for this resource will be disabled in most browsers.

If you find this not to be the case then please tell me and I'll reopen this bug.

Please see the update just made to https://code.google.com/p/chromium/issues/detail?id=158131 which describes how to achieve caching of resources as well as anonymous CORS support.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list