> The service would need to send out the Cross Origin Resource Sharing headers in order for the image to be accessible via <canvas> and the service also needs a means for the querying server to test if a certain image is indeed the one associated with the user.

// EDIT: ignore what was here, you're right.