[whatwg] Canvas and drawWindow

On Thu, May 12, 2011 at 1:58 AM, Ian Hickson <ian at hixie.ch> wrote:
> This is something that is rife with serious security concerns: exposing
> history, the potential for cross-origin data leakage, introspecting
> spelling-checker user dictionaries, inspecting data that is otherwise
> hidden such as user theme preferences or file input paths...
>
> This is not something to undertake lightly. Even if we found a way to
> actually determine when to taint a drawn image,

Easy: always.  I don't believe for a second that you're going to get
it secure otherwise.  Any user preference that affects display enables
fingerprinting.  Any link whose appearance would vary based on whether
it's visited would have to taint it (in browsers like Firefox that
have any security in that respect to start with).  Any text input, as
you note, would leak spellcheck info.  This is even if there's no
cross-origin content on the page at all.  The only possible way you
could do this is by constructing an entirely separate fake image that
has all identifying information removed -- you're never going to be
able to provide a real screenshot (unless the fake one happens to
coincidentally match the real one).

> we could never allow such
> data to be uploaded to a server or reused in WebGL (due to the shader
> timing attacks).

Why would it be any worse than cross-origin images?

Received on Thursday, 12 May 2011 17:00:22 UTC