W3C home > Mailing lists > Public > public-html@w3.org > April 2008

Canvas security comments

From: Philip Taylor <pjt47@cam.ac.uk>
Date: Sun, 27 Apr 2008 01:10:14 +0100
Message-ID: <4813C466.7010408@cam.ac.uk>
To: HTML WG <public-html@w3.org>

Some comments on "Security with canvas elements" 
(<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-the-canvas.html#security1>)


"The element's 2D context's fillStyle attribute is set to a 
CanvasPattern object that was created from an HTMLCanvasElement whose 
origin-clean flag is false." (and for strokeStyle) - should say "whose 
origin-clean flag was false when the pattern was created".


It's not entirely clear what order exceptions happen in. Is 
getImageData(0, 0, 0, Infinity) a security exception or an 
INDEX_SIZE_ERR? Is getImageData(0) a security exception or a 
NOT_SUPPORTED_ERR? (There are several overlapping requirements for what 
must happen when a method is called, and the precedence doesn't seem 
well-defined.)


"Whenever the toDataURL() method of a canvas element whose origin-clean 
flag is set to false is called, the method must immediately raise a 
security exception." (and for getImageData) - "security exception" 
should be a link to that term's definition.


In this code:
   ctx.drawImage(different_origin_image, 0, 0);
   ctx.width = ctx.width; // reset the bitmap and all context state
   ctx.toDataURL();
is it intentional that a security exception should be thrown? The spec 
says "Whenever the width and height attributes are set ... the bitmap 
and any associated contexts must be cleared back to their initial state 
...", and the 'origin-clean' flag is part of the canvas state instead. 
All implementations do not reset that flag, so everything is correct and 
interoperable, but I'd like a "Note: The origin-clean flag is not reset 
to its initial value when the canvas's width or height attributes are 
changed." to make it obvious.


"Information leakage can occur if scripts from one origin are exposed to 
images from another origin." - that sounds unclear to me, since the 
subject/object for 'exposed' seem to be the wrong way around. I'd prefer 
"... if scripts from one origin can access information about images from 
another origin."

-- 
Philip Taylor
pjt47@cam.ac.uk
Received on Sunday, 27 April 2008 00:10:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:54 UTC