W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2008

[whatwg] Minor addition/rewording for canvas section

From: Philip Taylor <excors+whatwg@gmail.com>
Date: Sun, 13 Jan 2008 12:22:36 +0000
Message-ID: <ea09c0d10801130422qb76b251i9f2d6f9f1be1eaf7@mail.gmail.com>
On 13/01/2008, Oliver Hunt <oliver at apple.com> wrote:
> Hi all,
>
> Section 3.14.11 contains the statement:
> "Security: To prevent information leakage, the toDataURL() and
> getImageData() methods should raise a security exception if
> the canvas has ever had an image painted on it whose origin is different
> from that of the script calling the method."
>
> In the interests of completeness this should probably read
> "Security: To prevent information leakage, the toDataURL() and
> getImageData() methods should raise a security exception if
> the canvas has ever had an image or ImageData painted on it whose origin is
> different from that of the script calling the method."
> (or similar)

What examples of information leakage is this change meant to prevent?

If you have an ImageData object then you can create a new object {
width: imgdata.width, height: imgdata.height, data: ...copy each array
element... } and then draw it, circumventing any origin information
that the ImageData object might be carrying around, so I'm not sure
why it's useful to care about the ImageData's origin. (That's unlike
Image objects where there's no other way of extracting the image
data.)

-- 
Philip Taylor
excors at gmail.com
Received on Sunday, 13 January 2008 04:22:36 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:00 UTC