- From: Markus Stange <mstange@themasta.com>
- Date: Mon, 29 Sep 2014 23:33:07 +0200
- To: Dirk Schulze <dschulze@adobe.com>
- Cc: WHAT Working Group <whatwg@whatwg.org>
On Mon, Sep 29, 2014 at 8:09 PM, Dirk Schulze <dschulze@adobe.com> wrote: > On Sep 29, 2014, at 7:20 PM, Markus Stange <mstange@themasta.com> wrote: >> - For a <feImage> primitive, if the required image hasn't finished >> loading at the time of drawing, this <feImage> primitive renders >> transparent black. > > I think there is more than the asynch consideration. CSS does not have setting for cross origin content. While it is planned, it simply isn’t there yet. That means SVG filters can be loaded from pretty much any origin. I wonder if this should taint the canvas. Have you though about this? Good point! I hadn't thought about this. I don't see much point in disallowing the use of cross-origin filters (who would put sensitive data inside a filter?), but it certainly would be bad if one could paint images from a different domain into the canvas using <feImage> and then read the pixels. So cross-domain feImage loads should certainly taint the canvas. Markus
Received on Monday, 29 September 2014 21:33:31 UTC