On Mon, Sep 29, 2014 at 8:09 PM, Dirk Schulze <dschu...@adobe.com> wrote:
> On Sep 29, 2014, at 7:20 PM, Markus Stange <msta...@themasta.com> wrote:
>> - For a <feImage> primitive, if the required image hasn't finished
>> loading at the time of drawing, this <feImage> primitive renders
>> transparent black.
> I think there is more than the asynch consideration. CSS does not have 
> setting for cross origin content. While it is planned, it simply isn’t there 
> yet. That means SVG filters can be loaded from pretty much any origin. I 
> wonder if this should taint the canvas. Have you though about this?

Good point! I hadn't thought about this. I don't see much point in
disallowing the use of cross-origin filters (who would put sensitive
data inside a filter?), but it certainly would be bad if one could
paint images from a different domain into the canvas using <feImage>
and then read the pixels. So cross-domain feImage loads should
certainly taint the canvas.


Reply via email to