W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > February 2011

[Bug 11955] The canvas should be tainted when drawing text with a cross-origin font (unless CORS was used to allow it)

From: <bugzilla@jessica.w3.org>
Date: Fri, 11 Feb 2011 02:01:16 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1PniJw-0000si-4C@jessica.w3.org>

--- Comment #3 from Jonas Sicking <jonas@sicking.cc> 2011-02-11 02:01:15 UTC ---
Disclaimer: The outcome of this bug doesn't matter to gecko one way or another
since we don't allow cross-origin fonts at all unless CORS is used. So fixing
our code to align with this change is a no-op.

This seems to close the window when the door is already opened. As you point
out, you can get lots of information using CSSOM, and likely more as time goes
on. Additionally, using things like pointer-events and SVG filters, you can get
the actual pixel data in the font too.

So the result of this bug seems to be solely to require implementations to add
code. No actual security or privacy improvements are archived.

The only benefit I can see is if is there is a long term plan to close the
other holes too. Is that the case?

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Friday, 11 February 2011 02:01:17 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:05 UTC