[Bug 20034] canvas getImageData opens security whole for code from bugzilla@jessica.w3.org on 2012-11-21 (public-html-bugzilla@w3.org from November 2012)

From: <bugzilla@jessica.w3.org>
Date: Wed, 21 Nov 2012 16:20:28 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-20034-2486-fzFvhY9Kmf@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=20034

--- Comment #6 from Klaus Bertram <bertram@n-bis.de> ---
Yes that's my concern because:
Every Browser can load images from elsewhere without restrictions. There is no
validation of it. 
When you has normal XHR code there is per default an validation of the same
host.
Also any Virus detection tools can block it when they found a signature of
malicious text (code).
This is not given in an image.

Before canvas, there was for my opinion no chance to get the byte data on any
image values. So you can't deliver code in it.

The attack model here is with 3 lines of legal code and via image loading an
attack is possible from single user to enterprise company’s.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 21 November 2012 16:20:32 UTC