- From: <bugzilla@jessica.w3.org>
- Date: Tue, 02 Nov 2010 20:29:01 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11203 Summary: Canvas security model does not allow for same-origin relaxation Product: HTML WG Version: unspecified Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: HTML Canvas 2D Context (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: matt.schemmel@gmail.com QAContact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-wg-issue-tracking@w3.org, public-html@w3.org There appears to be a gap in the security model specification between the 'canvas' and 'script' elements. The canvas security model http://www.w3.org/TR/html5/the-canvas-element.html#security-with-canvas-elements offers no way to relax the security check from "same origin" to "effective script origin", as defined here http://www.w3.org/TR/html5/origin-0.html#relaxing-the-same-origin-restriction More accurately, there appears to be no way for the canvas context to use an effective script origin other than the actual origin of the resource. This prevents any use of the canvas interface by scripts sourced from a Document with a relaxed domain. The HTML5 specification has been carefully implemented in the Mozilla project, and it is clear to see the effect: scripts that use the canvas API to filter images from host.domain.com fail on Firefox 3.x, where they operate successfully using Chrome, IE, etc. Goal of this request is to introduce an effective-script-origin analogue for the canvas element, perhaps by introducing a method to set the effective script of the canvas object similar to document.domain for the Document. -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
Received on Tuesday, 2 November 2010 20:29:02 UTC