hixie: taint canvas if we even _consider_ a cross-site font (whatwg r6105) from poot on 2011-05-06 (public-html-diffs@w3.org from May 2011)

From: poot <cvsmail@w3.org>
Date: Fri, 06 May 2011 16:06:12 -0400
To: public-html-diffs@w3.org
Message-Id: <E1QIRHw-0005Nt-SQ@jay.w3.org>

hixie: taint canvas if we even _consider_ a cross-site font (whatwg
r6105)

http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.4907&r2=1.4908&f=h
http://html5.org/tools/web-apps-tracker?from=6104&to=6105

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4907
retrieving revision 1.4908
diff -u -d -r1.4907 -r1.4908
--- Overview.html 6 May 2011 19:56:18 -0000 1.4907
+++ Overview.html 6 May 2011 20:03:31 -0000 1.4908
@@ -27297,11 +27297,12 @@
    false when the pattern was created.</li>
 
    <li><p>The element's 2D context's <code title="dom-context-2d-fillText">fillText()</code> or <code title="dom-context-2d-fillText">strokeText()</code> methods are
-   invoked and end up using a font that has an <a href="#origin">origin</a>
+   invoked and consider using a font that has an <a href="#origin">origin</a>
    that is not the <a href="#same-origin" title="same origin">same</a> as that of
    the <code><a href="#document">Document</a></code> object that owns the <code><a href="#the-canvas-element">canvas</a></code>
-   element.</li>
-
+   element. (The font doesn't even have to be used; all that matters
+   is whether the font was considered for any of the glyphs
+   drawn.)</li> 
   </ul><p>Whenever the <code title="dom-canvas-toDataURL"><a href="#dom-canvas-todataurl">toDataURL()</a></code> method of a
   <code><a href="#the-canvas-element">canvas</a></code> element whose <i>origin-clean</i> flag is set to
   false is called, the method must raise a <code><a href="#security_err">SECURITY_ERR</a></code>

Received on Friday, 6 May 2011 20:06:14 UTC