Skip to content
This repository was archived by the owner on Oct 17, 2025. It is now read-only.

feat(html): Add crossorigin attribute#2314

Closed
NiedziolkaMichal wants to merge 2 commits intomainfrom
crossorigin
Closed

feat(html): Add crossorigin attribute#2314
NiedziolkaMichal wants to merge 2 commits intomainfrom
crossorigin

Conversation

@NiedziolkaMichal
Copy link
Copy Markdown
Member

@NiedziolkaMichal NiedziolkaMichal commented Oct 17, 2022

This PR adds interactive example for crossorigin attribute. I chose to show how it works with script element, because showing how tainted canvas work would require long and complex JS code, while crossorigin in <link> effect can be seen mostly in network devtools tab.

Currently my private host is used to store cross-origin JS code, so this PR shouldn't be merged. I won't be able to store it indefinitely, so we need server owned by Mozilla with Access-Control-Allow-Origin: * HTTP header which can store following JS file:

setTimeout(() => {
    throw new Error('Secret message of error inside cross-origin script.');
}, 500);

image

github-advanced-security[bot]
github-advanced-security AI found potential problems Oct 17, 2022
View reviewed changes
Comment thread live-examples/html-examples/other-attributes/attribute-crossorigin.html
@@ -0,0 +1,6 @@
<script src="http://ddvdiow.cluster031.hosting.ovh.net/throwError.js"></script>

<script src="http://ddvdiow.cluster031.hosting.ovh.net/throwError.js" crossorigin></script>

Check warning

Code scanning / CodeQL

Inclusion of functionality from an untrusted source

Script loaded using unencrypted connection.
Comment thread live-examples/html-examples/other-attributes/attribute-crossorigin.html
@@ -0,0 +1,6 @@
<script src="http://ddvdiow.cluster031.hosting.ovh.net/throwError.js"></script>

Check warning

Code scanning / CodeQL

Inclusion of functionality from an untrusted source

Script loaded using unencrypted connection.
@bsmth bsmth changed the title crossorigin Add HTML crossorigin attribute Dec 7, 2022
@github-actions github-actions Bot added the idle Issues and pull requests with no activity for three months. label Jan 7, 2023
@NiedziolkaMichal NiedziolkaMichal mentioned this pull request Feb 10, 2023
Closed
94 tasks
@NiedziolkaMichal NiedziolkaMichal removed depends on shadow DOM fix idle Issues and pull requests with no activity for three months. labels Feb 26, 2023
@NiedziolkaMichal NiedziolkaMichal changed the title Add HTML crossorigin attribute feat(html): Add crossorigin attribute Feb 26, 2023
@github-actions github-actions Bot added the idle Issues and pull requests with no activity for three months. label Mar 29, 2023
@Josh-Cena Josh-Cena added the Content:HTML issues related to HTML examples. label Jul 31, 2023
@github-actions github-actions Bot removed the idle Issues and pull requests with no activity for three months. label Aug 1, 2023
@bsmth
Copy link
Copy Markdown
Member

bsmth commented Aug 23, 2023

I think it's a good addition. It would be great to get some feedback or thoughts from the team as to how we host it, adding needs infra as we might need some additional setup here. Tagging @LeoMcA for some input

bsmth
bsmth suggested changes Aug 23, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@bsmth bsmth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to resolve where crossorigin resources are hosted

@github-actions github-actions Bot added the idle Issues and pull requests with no activity for three months. label Sep 23, 2023
@bsmth
Copy link
Copy Markdown
Member

bsmth commented Jan 23, 2024

I'm going to close for now due to inactivity. We may reopen again at some point if supporting infra is available.

@bsmth bsmth closed this Jan 23, 2024
@caugner caugner deleted the crossorigin branch October 17, 2025 10:22
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@bsmth bsmth bsmth requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Content:HTML issues related to HTML examples. idle Issues and pull requests with no activity for three months. needs infra

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@NiedziolkaMichal @bsmth @github-advanced-security @Josh-Cena