- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Fri, 06 May 2011 20:03:35 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv31482
Modified Files:
Overview.html
Log Message:
taint canvas if we even _consider_ a cross-site font (whatwg r6105)
Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4907
retrieving revision 1.4908
diff -u -d -r1.4907 -r1.4908
--- Overview.html 6 May 2011 19:56:18 -0000 1.4907
+++ Overview.html 6 May 2011 20:03:31 -0000 1.4908
@@ -27297,11 +27297,12 @@
false when the pattern was created.</li>
<li><p>The element's 2D context's <code title="dom-context-2d-fillText">fillText()</code> or <code title="dom-context-2d-fillText">strokeText()</code> methods are
- invoked and end up using a font that has an <a href="#origin">origin</a>
+ invoked and consider using a font that has an <a href="#origin">origin</a>
that is not the <a href="#same-origin" title="same origin">same</a> as that of
the <code><a href="#document">Document</a></code> object that owns the <code><a href="#the-canvas-element">canvas</a></code>
- element.</li>
-
+ element. (The font doesn't even have to be used; all that matters
+ is whether the font was considered for any of the glyphs
+ drawn.)</li>
</ul><p>Whenever the <code title="dom-canvas-toDataURL"><a href="#dom-canvas-todataurl">toDataURL()</a></code> method of a
<code><a href="#the-canvas-element">canvas</a></code> element whose <i>origin-clean</i> flag is set to
false is called, the method must raise a <code><a href="#security_err">SECURITY_ERR</a></code>
Received on Friday, 6 May 2011 20:03:39 UTC