- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 19 May 2014 01:30:19 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebApps WG <public-webapps@w3.org>
On Sun, May 18, 2014 at 6:38 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Sat, May 17, 2014 at 12:22 AM, Jonas Sicking <jonas@sicking.cc> wrote: >> And I agree with them. The fact that <iframe>s end up same-origin >> makes it easier to XSS a website by tricking it to load a URL of the >> attackers choice in an iframe. Or open a worker using a URL of the >> attackers choice. > > I guess that is fair. Should a cross-origin blob URL taint the <canvas>? In at least Chrome and Firefox, blob: acts like filesystem: and can't be loaded cross-origin. Even in cases when we normally permit loading of cross-origin resources like in <img> and <script>. This has been to prevent websites from being able to steal data by guessing UUIDs (at least the Gecko UUID generator isn't guaranteed to produce unguessable UUIDs). So the question of <canvas> tainting doesn't really come into play, since you can't even load the cross-origin blob: into an image and draw it into the canvas. / Jonas
Received on Monday, 19 May 2014 08:31:16 UTC