- From: Charles Pritchard <chuck@jumis.com>
- Date: Tue, 20 Apr 2010 04:18:32 -0700
Issue:
There does not seem to be a standard method of requesting elevated
permissions
where local file access or cross-domain file access is required.
Consequence:
Currently, one must create a duplicate origin-clean Canvas element
to copy image data from a dirty element after privilege escalation.
Proposed method:
CanvasRenderingContext2D
resetOriginClean
throws SECURITY_ERR exception
When resetOriginClean is executed, an implementation shall request elevated
privileges, and if granted, set the origin-clean flag of the canvas
element to true.
Background:
Section 4.8.10.3 Security with canvas elements
Information leakage can occur if scripts from one origin can access
information (e.g. read pixels) from images from another origin (one that
isn't the same).
To mitigate this, canvas elements are defined to have a flag indicating
whether they are origin-clean. All canvas elements must start with their
origin-clean set to true.
-Charles
Received on Tuesday, 20 April 2010 04:18:32 UTC