W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > November 2012

[Bug 20034] canvas getImageData opens security whole for code

From: <bugzilla@jessica.w3.org>
Date: Wed, 21 Nov 2012 21:04:52 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-20034-2486-v8iT9x5PRj@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20034

--- Comment #7 from Boris Zbarsky <bzbarsky@mit.edu> ---
> When you has normal XHR code there is per default an validation of the same
> host.

Yes, but hosts can opt in to loads from them.

And while browsers can load images from anywhere, and draw them into a canvas,
they can only getImageData the result if the image was from the same host or if
the host opted into it, just like XHR.

> Also any Virus detection tools can block it when they found a signature of
> malicious text (code).

Again, if the web page is not cooperating, right?  If the web page and the
server are cooperating, then they can just obfuscate the source code (rot13,
encrypt, encode as an image, whatever).

It really would help if you answered my questions about your attack model...
because as far as I can tell, getImageData doesn't allow anything
XMLHttpRequest didn't already allow.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Wednesday, 21 November 2012 21:04:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 21 November 2012 21:04:54 GMT