- From: Philip Taylor <excors+whatwg@gmail.com>
- Date: Tue, 15 May 2007 03:24:09 +0100
On 15/05/07, Ian Hickson <ian at hixie.ch> wrote: > On Wed, 4 Apr 2007, Philip Taylor wrote: > > > > Relating to data: URLs: > > > > "To prevent information leakage, the toDataURL() and getImageData() > > methods should raise a security exception if the canvas ever had images > > painted on it that originate from a domain other than the domain of the > > script that painted the images onto the canvas." - is it true/obvious > > that an image from a data: URL doesn't originate from any domain at all > > and so it should be allowed? > > No, it's neither true nor obvious (nor is it obvious that it isn't true). > > I tried to make this clearer recently though, let me know if it's still > confusing. When I trying working out what it says now: I see "Security: To prevent information leakage, the toDataURL() and getImageData() methods should raise a security exception if the canvas has ever had an image painted on it whose origin is different from that of the script calling the method." and "origin" says (among other things) "The origin of a Document or image that was generated from a data: URI found in another Document or in a script is the origin of the that Document or script." so I think: var dataURL = canvas.toDataURL(); // dataURL is just a string var img = new Image(); img.src = dataURL; // img is an image that was generated from a data: URI found in this Document, so its origin is the origin of this Document img.onload = function() { ctx.drawImage(img, 0, 0); // img has the same origin as this script (since the origin of this script is the origin of this Document) canvas.toDataURL(); // ...so it's fine to call this again } (I'm hoping that's true, so I could say function save(ctx, name) { globalStorage[document.domain][name] = ctx.canvas.toDataURL(); } function load(ctx, name) { var img = new Image(); img.src = globalStorage[document.domain][name]; img.onload = function() { ctx.drawImage(img, 0, 0); }; } and be allowed to save after loading.) > > The colour parsing refers to [CSS3COLOR]. No profile is described, so > > presumably all of CSS3 Color should be supported. In that case: what > > should "currentColor" do, since its CSS definition makes no sense here? > > It makes sense -- it's the value of the 'color' property. The 'color' property of the <canvas> element? -- Philip Taylor excors at gmail.com
Received on Monday, 14 May 2007 19:24:09 UTC