[Bug 12309] New: Need to taint canvas when a non-CORS cross-site font is in the .font from bugzilla@jessica.w3.org on 2011-03-15 (public-html-bugzilla@w3.org from March 2011)

From: <bugzilla@jessica.w3.org>
Date: Tue, 15 Mar 2011 18:55:02 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-12309-2486@http.www.w3.org/Bugs/Public/>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12309

           Summary: Need to taint canvas when a non-CORS cross-site font
                    is in the .font
           Product: HTML WG
           Version: unspecified
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: pre-LC1 HTML Canvas 2D Context (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: jonas@sicking.cc
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


I can't currently find the text that defines how tainting works, but I seem to
recall that the spec recently defined that if text was drawn using a cross-site
font which was loaded without CORS opt-in, then the canvas should be tainted as
to prevent getting pixel data from it.

However this needs to happen also if such a font wasn't actually used to draw
into the canvas, but was attempted to be used. I.e. if you do something like

cx.font = "fontA, fontB";
cx.fillText(str, 0, 0);

if fontA is a non-CORS cross-site font, but fontB isn't. Even if the text ends
up being drawn using only fontB, that leaks information about which characters
are in fontA and thus the canvas should be tainted.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Tuesday, 15 March 2011 18:55:04 UTC