- From: Philip Taylor <pjt47@cam.ac.uk>
- Date: Sun, 27 Apr 2008 01:10:14 +0100
- To: HTML WG <public-html@w3.org>
Some comments on "Security with canvas elements" (<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-the-canvas.html#security1>) "The element's 2D context's fillStyle attribute is set to a CanvasPattern object that was created from an HTMLCanvasElement whose origin-clean flag is false." (and for strokeStyle) - should say "whose origin-clean flag was false when the pattern was created". It's not entirely clear what order exceptions happen in. Is getImageData(0, 0, 0, Infinity) a security exception or an INDEX_SIZE_ERR? Is getImageData(0) a security exception or a NOT_SUPPORTED_ERR? (There are several overlapping requirements for what must happen when a method is called, and the precedence doesn't seem well-defined.) "Whenever the toDataURL() method of a canvas element whose origin-clean flag is set to false is called, the method must immediately raise a security exception." (and for getImageData) - "security exception" should be a link to that term's definition. In this code: ctx.drawImage(different_origin_image, 0, 0); ctx.width = ctx.width; // reset the bitmap and all context state ctx.toDataURL(); is it intentional that a security exception should be thrown? The spec says "Whenever the width and height attributes are set ... the bitmap and any associated contexts must be cleared back to their initial state ...", and the 'origin-clean' flag is part of the canvas state instead. All implementations do not reset that flag, so everything is correct and interoperable, but I'd like a "Note: The origin-clean flag is not reset to its initial value when the canvas's width or height attributes are changed." to make it obvious. "Information leakage can occur if scripts from one origin are exposed to images from another origin." - that sounds unclear to me, since the subject/object for 'exposed' seem to be the wrong way around. I'd prefer "... if scripts from one origin can access information about images from another origin." -- Philip Taylor pjt47@cam.ac.uk
Received on Sunday, 27 April 2008 00:10:58 UTC