W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2010

[whatwg] Canvas 2D Context Proposal: resetOriginClean

From: Charles Pritchard <chuck@jumis.com>
Date: Tue, 20 Apr 2010 04:18:32 -0700
Message-ID: <4BCD8D88.4040704@jumis.com>
Issue:
There does not seem to be a standard method of requesting elevated 
permissions
where local file access or cross-domain file access is required.

Consequence:
Currently, one must create a duplicate origin-clean Canvas element
to copy image data from a dirty element after privilege escalation.


Proposed method:
CanvasRenderingContext2D
    resetOriginClean
throws SECURITY_ERR  exception

When resetOriginClean is executed, an implementation shall request elevated
privileges, and if granted, set the origin-clean flag of the canvas 
element to true.


Background:

Section 4.8.10.3 Security with canvas  elements

Information leakage can occur if scripts from one origin  can access 
information (e.g. read pixels) from images from another origin (one that 
isn't the same).
To mitigate this, canvas elements are defined to have a flag indicating 
whether they are origin-clean. All canvas elements must start with their 
origin-clean set to true.


-Charles
Received on Tuesday, 20 April 2010 04:18:32 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:22 UTC