- From: poot <cvsmail@w3.org>
- Date: Fri, 06 Jan 2012 15:48:52 -0500
- To: public-html-diffs@w3.org
hixie: Make sure canvas.toBlob() honours the origin-clean flag. Also,
make it more likely this will be implemented correctly by explicitly
putting the security checks in the relevant algorithms. (whatwg r6879)
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.5478&r2=1.5479&f=h
http://html5.org/tools/web-apps-tracker?from=6878&to=6879
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.5478
retrieving revision 1.5479
diff -u -d -r1.5478 -r1.5479
--- Overview.html 16 Dec 2011 23:24:08 -0000 1.5478
+++ Overview.html 6 Jan 2012 20:46:35 -0000 1.5479
@@ -320,7 +320,7 @@
<h1>HTML5</h1>
<h2 class="no-num no-toc" id="a-vocabulary-and-associated-apis-for-html-and-xhtml">A vocabulary and associated APIs for HTML and XHTML</h2>
- <h2 class="no-num no-toc" id="editor-s-draft-16-december-2011">Editor's Draft 16 December 2011</h2>
+ <h2 class="no-num no-toc" id="editor-s-draft-6-january-2012">Editor's Draft 6 January 2012</h2>
<dl><dt>Latest Published Version:</dt>
<dd><a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a></dd>
<dt>Latest Editor's Draft:</dt>
@@ -467,7 +467,7 @@
Group</a> is the W3C working group responsible for this
specification's progress along the W3C Recommendation
track.
- This specification is the 16 December 2011 Editor's Draft.
+ This specification is the 6 January 2012 Editor's Draft.
</p><!-- UNDER NO CIRCUMSTANCES IS THE PRECEDING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>Work on this specification is also done at the <a href="http://www.whatwg.org/">WHATWG</a>. The W3C HTML working group
actively pursues convergence with the WHATWG, as required by the <a href="http://www.w3.org/2007/03/HTML-WG-charter">W3C HTML working
group charter</a>.</p><!-- UNDER NO CIRCUMSTANCES IS THE FOLLOWING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5
@@ -29167,7 +29167,12 @@
<p>The <dfn id="dom-canvas-todataurl" title="dom-canvas-toDataURL"><code>toDataURL()</code></dfn> method
must run the following steps:</p>
- <ol><li><p>If the canvas has no pixels (i.e. either its horizontal
+ <ol><li><p>If the <code><a href="#the-canvas-element">canvas</a></code> element's <i>origin-clean</i>
+ flag is set to false, throw a <code><a href="#securityerror">SecurityError</a></code> exception
+ and abort these steps.</p>
+
+
+ <li><p>If the canvas has no pixels (i.e. either its horizontal
dimension or its vertical dimension is zero) then return the string
"<code title="">data:,</code>" and abort these steps. (This is the
shortest <a href="#data-protocol" title="data protocol"><code title="">data:</code>
@@ -29184,7 +29189,12 @@
</ol><p>The <dfn id="dom-canvas-toblob" title="dom-canvas-toBlob"><code>toBlob()</code></dfn> method
must run the following steps:</p>
- <ol><li><p>Let <var title="">callback</var> be the first
+ <ol><li><p>If the <code><a href="#the-canvas-element">canvas</a></code> element's <i>origin-clean</i>
+ flag is set to false, throw a <code><a href="#securityerror">SecurityError</a></code> exception
+ and abort these steps.</p>
+
+
+ <li><p>Let <var title="">callback</var> be the first
argument.</li>
<li><p>Let <var title="">arguments</var> be the second and
@@ -29359,23 +29369,9 @@
is whether the font was considered for any of the glyphs
drawn.)</li>
- </ul><p>Whenever the <code title="dom-canvas-toDataURL"><a href="#dom-canvas-todataurl">toDataURL()</a></code> method of a
- <code><a href="#the-canvas-element">canvas</a></code> element whose <i>origin-clean</i> flag is set to
- false is called, the method must throw a <code><a href="#securityerror">SecurityError</a></code>
- exception.</p>
-
- <p>Whenever the <code title="dom-context-2d-getImageData">getImageData()</code> method of
- the 2D context of a <code><a href="#the-canvas-element">canvas</a></code> element whose
- <i>origin-clean</i> flag is set to false is called with otherwise
- correct arguments, the method must throw a <code><a href="#securityerror">SecurityError</a></code>
- exception.</p>
-
- <p>Whenever the <code title="dom-context-2d-measureText">measureText()</code> method of
- the 2D context of a <code><a href="#the-canvas-element">canvas</a></code> element ends up using a font
- that has an <a href="#origin">origin</a> that is not the <a href="#same-origin" title="same
- origin">same</a> as that of the <code><a href="#document">Document</a></code> object that
- owns the <code><a href="#the-canvas-element">canvas</a></code> element, the method must throw a
- <code><a href="#securityerror">SecurityError</a></code> exception.</p>
+ </ul><p>The <code title="dom-canvas-toDataURL"><a href="#dom-canvas-todataurl">toDataURL()</a></code>, <code title="dom-canvas-toBlob"><a href="#dom-canvas-toblob">toBlob()</a></code>, and <code title="dom-context-2d-getImageData">getImageData()</code> methods
+ check the flag and will throw a <code><a href="#securityerror">SecurityError</a></code> exception
+ rather than leak cross-origin data.</p>
<p class="note">Even resetting the canvas state by changing its
<code title="attr-canvas-width"><a href="#attr-canvas-width">width</a></code> or <code title="attr-canvas-height"><a href="#attr-canvas-height">height</a></code> attributes doesn't reset
@@ -74523,6 +74519,7 @@
Nicolas Gallagher,
Noah Mendelsohn,
Noah Slater,
+ Noel Gordon,
NoozNooz42,
Ojan Vafai,
Olaf Hoffmann,
Received on Friday, 6 January 2012 20:51:06 UTC