On Jan 13, 2008, at 4:57 AM, Philip Taylor wrote:
On 13/01/2008, Oliver Hunt <[EMAIL PROTECTED]> wrote:
Writing to a canvas from a different origin isn't considered a
threat,
the problem is
evil.example.com reading data from the canvas after naive.example.com
has put
private/confidential information into the canvas.
In that case, evil.example.com shouldn't be allowed to read anything
(pixel data or context state) from the canvas after naive.example.com
has done anything at all to it (e.g. calling fillRect, or setting
fillStyle, etc), because otherwise some potentially-private
information will be leaked. (putImageData can be emulated using
fillRect, so it wouldn't make much sense to have different security
restrictions depending on which equivalent mechanism you use.)
Don't the normal same-origin restrictions already prevent
naive.example.com and evil.example.com accessing the same canvas
element, in the same way as (I assume) they prevent evil.example.com
accessing an <input type=password>.value from a naive.example.com
document?
I did wonder about why other origins could read anything myself, so
you're not
alone -- it just seemed especially odd to allow images to be written
safely but not
ImageData.
I'm as yet unsure whether a separate origin should be able to write --
i have nothing
to back this up with but it seems that you could potentially right to
a canvas from a
separate domain to make the canvas look like something it wasn't --
but i'm not familiar
enough with the other origin related policies in html5 to be able to
say anything
meaningful.
I only noticed this as i was looking at the ImageData portion of the
spec just now :D
I assume there was a reason that reading from the canvas from another
origin is ever
allowed, but I can't think of what it might be -- any thoughts/
recollections from others
would be well received :D
--Oliver
--
Philip Taylor
[EMAIL PROTECTED]
