- From: <bugzilla@jessica.w3.org>
- Date: Tue, 15 Mar 2011 18:55:02 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12309 Summary: Need to taint canvas when a non-CORS cross-site font is in the .font Product: HTML WG Version: unspecified Platform: PC OS/Version: All Status: NEW Severity: normal Priority: P2 Component: pre-LC1 HTML Canvas 2D Context (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: jonas@sicking.cc QAContact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-wg-issue-tracking@w3.org, public-html@w3.org I can't currently find the text that defines how tainting works, but I seem to recall that the spec recently defined that if text was drawn using a cross-site font which was loaded without CORS opt-in, then the canvas should be tainted as to prevent getting pixel data from it. However this needs to happen also if such a font wasn't actually used to draw into the canvas, but was attempted to be used. I.e. if you do something like cx.font = "fontA, fontB"; cx.fillText(str, 0, 0); if fontA is a non-CORS cross-site font, but fontB isn't. Even if the text ends up being drawn using only fontB, that leaks information about which characters are in fontA and thus the canvas should be tainted. -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
Received on Tuesday, 15 March 2011 18:55:04 UTC