Is canvas security model ignoring access-control-allow-origin headers?

Question

It seems that even if you set the access-control-allow-origin header to allow access from mydomain.org to an image hosted on domain example.org, the canvas' origin-clean flag gets set to false, and trying to manipulate that image's pixel data will trigger a security exception.

Shouldn't canvas' obey the access-control-allow-origin header and allow access to image's data without throwing an exception?

Answer 1

The access-control-allow-origin header only works for cross-domain XmlHttpRequest. The <canvas> tag DOES NOT honour that attribute, and hence what you are trying will not work.

See http://www.whatwg.org/specs/web-apps/current-work/multipage/the-canvas-element.html#security-with-canvas-elements

The only option is to proxy the image via your own server.