- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 25 Jul 2008 19:29:50 -0700
- To: Philip Taylor <pjt47@cam.ac.uk>
- CC: HTML WG <public-html@w3.org>
Philip Taylor wrote: > "Arguments other than the type must be ignored, and must not cause the > user agent to raise an exception (as would normally occur if a method > was called with the wrong number of arguments). A future version of this > specification will probably allow extra parameters to be passed to > toDataURL() to allow authors to more carefully control compression > settings, image metadata, etc." ... > Firefox 2/3 violates the spec > (https://bugzilla.mozilla.org/show_bug.cgi?id=401795) and throws a > security exception when there's an extra argument to toDataURL Actually, it allows passing in options to control PNG encoding (exactly as described above), but there has been no security review to see whether those options are OK for untrusted content, hence the exception if the caller doesn't have certain privileges. It's not clear to me how UAs can experiment with allowing various options here without running afoul of the spec, to be honest, since anything you do is likely to conflict with future to-be-specified behavior. If we're going to have an extensibility mechanism here, it seems like it would be nice if it could be used for extensibility.... -Boris
Received on Saturday, 26 July 2008 02:30:54 UTC