On Mon, Sep 29, 2014 at 8:09 PM, Dirk Schulze <dschu...@adobe.com> wrote: > On Sep 29, 2014, at 7:20 PM, Markus Stange <msta...@themasta.com> wrote: >> - For a <feImage> primitive, if the required image hasn't finished >> loading at the time of drawing, this <feImage> primitive renders >> transparent black. > > I think there is more than the asynch consideration. CSS does not have > setting for cross origin content. While it is planned, it simply isn’t there > yet. That means SVG filters can be loaded from pretty much any origin. I > wonder if this should taint the canvas. Have you though about this?
Good point! I hadn't thought about this. I don't see much point in disallowing the use of cross-origin filters (who would put sensitive data inside a filter?), but it certainly would be bad if one could paint images from a different domain into the canvas using <feImage> and then read the pixels. So cross-domain feImage loads should certainly taint the canvas. Markus