Re: Canvas security comments from Ian Hickson on 2008-06-12 (public-html@w3.org from June 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 12 Jun 2008 23:10:11 +0000 (UTC)
To: Philip Taylor <pjt47@cam.ac.uk>
Cc: HTML WG <public-html@w3.org>
Message-ID: <Pine.LNX.4.62.0806122259370.8559@hixie.dreamhostps.com>

On Sun, 27 Apr 2008, Philip Taylor wrote:
> 
> Some comments on "Security with canvas elements"
> (<http://www.whatwg.org/specs/web-apps/current-work/multipage/section-the-canvas.html#security1>)
> 
> "The element's 2D context's fillStyle attribute is set to a 
> CanvasPattern object that was created from an HTMLCanvasElement whose 
> origin-clean flag is false." (and for strokeStyle) - should say "whose 
> origin-clean flag was false when the pattern was created".

Fixed (along with the other three cases).


> It's not entirely clear what order exceptions happen in. Is 
> getImageData(0, 0, 0, Infinity) a security exception or an 
> INDEX_SIZE_ERR? Is getImageData(0) a security exception or a 
> NOT_SUPPORTED_ERR? (There are several overlapping requirements for what 
> must happen when a method is called, and the precedence doesn't seem 
> well-defined.)

Fixed.


> "Whenever the toDataURL() method of a canvas element whose origin-clean 
> flag is set to false is called, the method must immediately raise a 
> security exception." (and for getImageData) - "security exception" 
> should be a link to that term's definition.

Fixed.


> In this code:
>   ctx.drawImage(different_origin_image, 0, 0);
>   ctx.width = ctx.width; // reset the bitmap and all context state
>   ctx.toDataURL();
> is it intentional that a security exception should be thrown? The spec says
> "Whenever the width and height attributes are set ... the bitmap and any
> associated contexts must be cleared back to their initial state ...", and the
> 'origin-clean' flag is part of the canvas state instead. All implementations
> do not reset that flag, so everything is correct and interoperable, but I'd
> like a "Note: The origin-clean flag is not reset to its initial value when the
> canvas's width or height attributes are changed." to make it obvious.

Ok.


> "Information leakage can occur if scripts from one origin are exposed to 
> images from another origin." - that sounds unclear to me, since the 
> subject/object for 'exposed' seem to be the wrong way around. I'd prefer 
> "... if scripts from one origin can access information about images from 
> another origin."

Cleaned it up a bit.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 12 June 2008 23:10:49 UTC