W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > November 2010

[Bug 11203] New: Canvas security model does not allow for same-origin relaxation

From: <bugzilla@jessica.w3.org>
Date: Tue, 02 Nov 2010 20:29:01 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-11203-2486@http.www.w3.org/Bugs/Public/>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11203

           Summary: Canvas security model does not allow for same-origin
                    relaxation
           Product: HTML WG
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HTML Canvas 2D Context (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: matt.schemmel@gmail.com
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


There appears to be a gap in the security model specification between the
'canvas' and 'script' elements.

The canvas security model
http://www.w3.org/TR/html5/the-canvas-element.html#security-with-canvas-elements

offers no way to relax the security check from "same origin" to "effective
script origin", as defined here
http://www.w3.org/TR/html5/origin-0.html#relaxing-the-same-origin-restriction

More accurately, there appears to be no way for the canvas context to use an
effective script origin other than the actual origin of the resource. This
prevents any use of the canvas interface by scripts sourced from a Document
with a relaxed domain.

The HTML5 specification has been carefully implemented in the Mozilla project,
and it is clear to see the effect: scripts that use the canvas API to filter
images from host.domain.com fail on Firefox 3.x, where they operate
successfully using Chrome, IE, etc.

Goal of this request is to introduce an effective-script-origin analogue for
the canvas element, perhaps by introducing a method to set the effective script
of the canvas object similar to document.domain for the Document.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Tuesday, 2 November 2010 20:29:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 November 2010 20:29:02 GMT