W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2010

[whatwg] Canvas 2D Context Proposal: resetOriginClean

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 23 Apr 2010 12:04:57 -0700
Message-ID: <p2q63df84f1004231204vc9ee6f3h94b323c0dcd7de34@mail.gmail.com>
On Fri, Apr 23, 2010 at 9:43 AM, Charles Pritchard <chuck at jumis.com> wrote:
>> For what it's worth, we consider enablePrivilege to be a horrible
>> solution for basically any involved party (browser developer, user,
>> and website author), and we're in the process of removing it. So
>> saying that anything is like enablePrivilege is not a good argument :)
>>
>> / Jonas
>>
>
> Thanks for clarifying
>
> Has there been progress on enabling Canvas origin-clean with
> Cross-Origin Resource Sharing?

No.

> Currently, a CROS-enabled XMLHttpRequest result must be serialized
> in base64 then load it into an <img> tag.
>
> Cross-Origin Resource Sharing:
> http://www.w3.org/TR/cors/

One solution is to simply use CORS together with XMLHttpRequest as you
point out. Though it's definitely not smooth.

Alternatively, it would be possible to use CORS together with <img>,
such that if the response to an <img> request contains the appropriate
CORS headers then tainting would not occur when imported into a
canvas.

This would require changes to both HTML and to CORS, but not too bad.
And the result is significantly better as it doesn't require the user
to get involved and decide what's safe and what's not.

I suggest you approach things from this direction instead.

/ Jonas
Received on Friday, 23 April 2010 12:04:57 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:22 UTC