[Bug 20034] canvas getImageData opens security whole for code from bugzilla@jessica.w3.org on 2012-11-21 (public-html-bugzilla@w3.org from November 2012)

From: <bugzilla@jessica.w3.org>
Date: Wed, 21 Nov 2012 15:44:13 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-20034-2486-z45zy1r5gP@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=20034

--- Comment #5 from Boris Zbarsky <bzbarsky@mit.edu> ---
Ah, so your concern is that the code signature will not be found because the
image encoder obfuscates it?

How is that different from any other obfuscation method applied to code that's
fetched with XHR?

What's the attack model here?  Is the code calling eval() actively trying to
smuggle in code somewhere, such that it's cooperating with the server the image
is coming from to do so?  Or is the server an attacker while the code calling
eval() is not trying to do anything bad?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 21 November 2012 15:44:19 UTC