Why unable to import image (and sound) URLs?

I realise that in general CORS (cross-origin policy) restricts what can be imported into Snap! but why images and sounds? An image element can be created with the URL as the SRC and then turned into a costume.


Mozilla says that there can still be security issues-

Ii is ironic that if costumes were implemented as HTML img elements then there is no CORS issue

Here are some examples of resources which may be embedded cross-origin:

From https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Cross-origin_network_access

I tried to find the rationale behind allowing images to be displayed but not copied to a canvas. It seems the images may contain secrets that could be exposed since copying the pixels to a canvas allows JavaScript access to the information in the image. E.g. a third-party ad running on a banking web app. Not sure why a bank would run the JavaScript from the third-party like that...

But even when CORS is allowed I get this error. E.g. images on Wikipedia have " access-control-allow-origin: * "

Sounds weird to me because I never get any after removing the HTTPS protocol.

I was able to drag and drop this URL - https://snap.berkeley.edu/img/snap-byob.png

How does one remove HTTPS from Wikipedia image URLs?

While it was annoying that I had to save lots of images to the local file system, at least Snap! let me drag and drop several files at once.

I cannot remember how removing HTTPS worked. That was about 8 months ago! I do not import images anymore. In fact, I only dragged an image twice, if I recall correctly.

Wait, I just tried to take an image of mine via my webcam, and when I blocked it, it told me to remove the HTTPS part. I think this means that I got confused and directed you to the wrong path. Sorry about that.

The "tainted" message isn't just the general CORS nonsense, I think. When this first came up, at least, it was specific to SVGs. That's all I remember, though.

the issue seems to be getting down to reading the pixel/sample data. We can display any image and play back any sound, but not access the metal. Browsers suck.

Browsers suck because they are trying to protect us from people that suck. But in this case I'm still confused about what attack they are protecting us from. Third-party JavaScript somehow stealing secrets from an image on a page?.I've seen some posts on the Web that are confused about this being about the person running the browser finding secrets in images that are being displayed in front of them.

Could Snap! pass the image URL to a proxy server that adds the CORS access permission? This would fail if the image is only available after authentication but that would be very rare in the Snap! context.

We use CORS proxies, but they keep disappearing. I don't know if the authors get tired of paying the hosting fees or what the deal is.

There is an extension to Chrome for this purpose

Thanks! Is there a reason you pick this three-star one instead of one of the five-star equivalents?

First record of search result for "chrome cors extension".
Also replying with "search google ..." is considered rude and against community guidelines... usually. :slight_smile:

You mean, because you're supposed to say "search DuckDuckGo," right?

Right, exactly. DuckDuckgo is my default search engine since years.