Last Comment Bug 662599 - Allow cross-domain textures with CORS approval
: Allow cross-domain textures with CORS approval
: dev-doc-complete
Product: Core
Classification: Components
Component: Canvas: WebGL (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Joe Drew (not getting mail)
: Milan Sreckovic [:milan]
Depends on: 664299
Blocks: 662570 CVE-2011-2366 656277 666505
  Show dependency treegraph
Reported: 2011-06-07 12:10 PDT by Benoit Jacob [:bjacob] (mostly away)
Modified: 2014-04-25 15:16 PDT (History)
18 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Benoit Jacob [:bjacob] (mostly away) 2011-06-07 12:10:41 PDT
Since bug 656277 landed, cross-domain WebGL textures are no longer allowed. That, sadly, breaks useful content (bug 662570).

We now have to code the code allowing cross-domain textures when they have CORS approval.
Comment 1 Benoit Jacob [:bjacob] (mostly away) 2011-06-07 13:36:37 PDT
WebKit bug:
Comment 2 Benoit Jacob [:bjacob] (mostly away) 2011-06-23 15:12:36 PDT
*** Bug 666505 has been marked as a duplicate of this bug. ***
Comment 3 Asa Dotzler [:asa] 2011-06-23 15:32:11 PDT
Broken AngryBirds was duped here so I'm carrying over our tracking Firefox 6 status to this bug. 

I'm guessing that we're not going to get this fixed for 6 but I just want to make sure that the drivers don't lose this after the duping.
Comment 4 Benoit Jacob [:bjacob] (mostly away) 2011-06-23 16:42:39 PDT
(In reply to comment #3)
> I'm guessing that we're not going to get this fixed for 6 but I just want to
> make sure that the drivers don't lose this after the duping.

I really, absolutely want to have this fixed in 6! Only reason why it's not done already is the crazy WebGL events of the past week + many bug reports to handle. If I'm not fast enough, perhaps someone more competent wants to take this. On the WebKit side they had their big gurus working on it immediately and got it done very fast.
Comment 5 Joe Drew (not getting mail) 2011-07-14 11:54:01 PDT
Bug 664299 contains an implementation of this, and is now inbound.

The dev-doc-needed here is that we now allow cross-origin images that have the crossorigin attribute specified and been verified with CORS.
Comment 6 Joe Drew (not getting mail) 2011-07-15 07:59:17 PDT
Bug 664299 has been merged to m-c!
Comment 7 Alex 2011-07-15 08:08:01 PDT
Windows 7 x64
Firefox 8.0a1 x64 
NOT fixed
Comment 8 Benoit Jacob [:bjacob] (mostly away) 2011-07-24 21:56:59 PDT
Angry Birds is working fine now. Apparently they only started using CORS recently, as until recently it also failed in Chrome 14.
Comment 9 Eric Shepherd [:sheppy] 2011-08-09 09:54:46 PDT
Documentation updated:

Also updated Firefox 7 for developers, and added a link to the Cross-domain textures article on the main WebGL landing page.
Comment 10 Benoit Jacob [:bjacob] (mostly away) 2011-08-09 09:57:48 PDT
Thanks a bunch. I didn't even know that we had this HTTP Access Control wiki page.
Comment 11 Benoit Jacob [:bjacob] (mostly away) 2011-08-09 10:02:59 PDT
I've made some changes to mostly to reflect the fact that it's only in Gecko 8 that CORS support for WebGL textures and the crossOrigin attribute for images is implemented. Please review, especially I'm not sure about the usage of the macros there.
Comment 12 Eric Shepherd [:sheppy] 2011-08-09 10:03:53 PDT
Hm, okay. It's flagged in the writing team's records as being in Firefox 7, so this is good to know. Thanks!
Comment 13 Benoit Jacob [:bjacob] (mostly away) 2011-08-09 10:08:26 PDT
Also I've taken the canvas remark out of the Gecko 5-6-7 note. It will always be true that tainted canvases can't be used as WebGL textures. I believe, but am not sure, that we want to add CORS support to canvas drawImage too to allow painting CORS-approved cross-domain images onto a canvas without tainting it; but that isn't implemented yet (last time I checked).
Comment 14 Benoit Jacob [:bjacob] (mostly away) 2011-08-09 10:09:06 PDT
(In reply to Eric Shepherd [:sheppy] from comment #12)
> Hm, okay. It's flagged in the writing team's records as being in Firefox 7,
> so this is good to know. Thanks!

Sorry about that. For a long time we hoped to get it into Firefox 7, but didn't manage to. It really is a Firefox 8 thing.
Comment 15 Simona B [:simonab ] 2011-08-19 06:05:59 PDT
Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20100101 Firefox/7.0

Can anyone please help me with a test case or with STR/guidelines in order to get this issue checked on QA side?

Comment 16 christian 2011-09-15 13:33:18 PDT
It has been decided we won't take this in Firefox 7.
Comment 17 Luke Crouch [:groovecoder] 2011-09-19 22:59:06 PDT
Should this be fixed in Firefox 8? I'm on Aurora 2011-09-19 and still doesn't work.
Comment 18 Benoit Jacob [:bjacob] (mostly away) 2011-09-20 04:26:00 PDT
Yes it's fixed in 8. See the unit test (in 8 it's in content/canvas/test/webgl/crossorigin, in 9 it's in content/canvas/test/crossorigin).

This demo seems like it just doesn't use CORS? Hard to say as this JS code is obfuscated/minified.
Comment 19 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-09-22 15:06:55 PDT
qa-: no QA fix verification needed

Note You need to log in before you can comment on or make changes to this bug.