W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2009

[whatwg] "offscreen canvas" /Access to canvas functionality from a worker

From: Dmitry Titov <dimich@google.com>
Date: Thu, 10 Dec 2009 14:12:10 -0800
Message-ID: <28040fc60912101412o4a19883aq5725c83d86d7b7c9@mail.gmail.com>
On Thu, Dec 10, 2009 at 1:36 PM, Oliver Hunt <oliver at apple.com> wrote:

>
> Additionally there's the question of origin tainting -- is it possible to
> taint the origin in a worker? you don;t have image elements, you can't xhr
> unsafely to other origins, but maybe i'm missing something?
>

Is origin tainting relevant here because we want to make sure the image
being processed before upload does not get sent to malicious site by
the compromised worker script? It seems UA should taint the connected
documents once worker gets tainted.

There is importScript that can go cross-origin, just like <script> tag.
Going to http or different origin should trigger 'mixed content' indication
in UA for all pages connected to worker. XHR is SOP but there are bad SSL
certs. Normally the workers XHR would silently fail if received a bad SSL
cert response, but if the user previously replied "trust the site anyways"
on the scary dialog while visiting the site, I think the access from worker
then goes through with bad cert, since user already 'approved' it for the
whole origin.

Dmitry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20091210/1ab37fc4/attachment.htm>
Received on Thursday, 10 December 2009 14:12:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:54 UTC