W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > October 2011

[Bug 14502] Why do we want to taint on style set and not on style use?

From: <bugzilla@jessica.w3.org>
Date: Sat, 29 Oct 2011 01:49:14 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1RJy2s-0006W8-Kc@jessica.w3.org>

--- Comment #12 from Boris Zbarsky <bzbarsky@mit.edu> 2011-10-29 01:49:13 UTC ---
I agree, esp on the "security vulnerability" bit; hence the question.

To be clear, Gecko's behavior at the moment is that if the document has set
document.domain then drawing _any_ non-CORS image into the canvas taints the
canvas.  At least that's what I believe based on code inspection; I have only
proved it, not tested it.  ;)

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Saturday, 29 October 2011 01:49:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:02:06 UTC