W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2009

[whatwg] Canvas origin-clean should not ignore Access Control for Cross-Site Requests

From: Jerason Banes <jbanes@gmail.com>
Date: Fri, 13 Mar 2009 12:07:35 -0500
Message-ID: <82c3f5040903131007g1d751dd2u16c2eb161af83b68@mail.gmail.com>
I think this is an excellent point. I've been playing with the Chroma-Key
replacement trick demonstrated in FireFox 3.1b3:
https://developer.mozilla.org/samples/video/chroma-key/index.xhtml
https://developer.mozilla.org/En/Manipulating_video_using_canvas

For my own experiments, I grabbed a green-screen video from Youtube and
converted it to OGG. If the access control were in place for Canvas, I could
have done direct compositing on an embedded video from TinyVid. Which would
open up some interesting possibilities for video mashups on the web.

Thanks,
Jerason

On Fri, Mar 13, 2009 at 11:24 AM, Hans Schmucker <hansschmucker at gmail.com>wrote:

> This problem recently became apparent while trying to process a public
> video on tinyvid.tv:
>
> In article 4.8.11.3 "Security with canvas elements", the origin-clean
> flag is only set depending on an element's origin. However there are
> many scenarios where an image/video may actually be public and
> actively allowing processing on other domains (as indicated by
> Access-Control-Allow-Origin).
>
> Is this an oversight or is there a specific reason why Access Control
> for Cross-Site Requests should not work for Canvas?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090313/5f8c9107/attachment-0001.htm>
Received on Friday, 13 March 2009 10:07:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:47:49 GMT