[html5] r1192 - /
whatwg at whatwg.org
whatwg at whatwg.org
Thu Jan 31 22:41:54 PST 2008
Author: ianh
Date: 2008-01-31 22:41:50 -0800 (Thu, 31 Jan 2008)
New Revision: 1192
Modified:
index
source
Log:
[gow] (2) Overhaul of canvas security requirements.
Modified: index
===================================================================
--- index 2008-02-01 05:50:15 UTC (rev 1191)
+++ index 2008-02-01 06:41:50 UTC (rev 1192)
@@ -718,7 +718,10 @@
</span>Drawing model</a>
</ul>
- <li><a href="#color"><span class=secno>3.14.11.2. </span>Color
+ <li><a href="#security1"><span class=secno>3.14.11.2.
+ </span>Security with <code>canvas</code> elements</a>
+
+ <li><a href="#color"><span class=secno>3.14.11.3. </span>Color
spaces and color correction</a>
</ul>
@@ -994,7 +997,7 @@
<li><a href="#the-default0"><span class=secno>4.2. </span>The default
view</a>
<ul class=toc>
- <li><a href="#security1"><span class=secno>4.2.1. </span>Security</a>
+ <li><a href="#security2"><span class=secno>4.2.1. </span>Security</a>
<li><a href="#constructors"><span class=secno>4.2.2.
</span>Constructors</a>
@@ -1016,7 +1019,7 @@
<li><a href="#unscripted"><span class=secno>4.3.3. </span>Unscripted
same-origin checks</a>
- <li><a href="#security2"><span class=secno>4.3.4. </span>Security
+ <li><a href="#security3"><span class=secno>4.3.4. </span>Security
exceptions</a>
<li><a href="#javascript-protocol"><span class=secno>4.3.5. </span>The
@@ -1046,7 +1049,7 @@
<li><a href="#custom-handlers"><span class=secno>4.5.1. </span>Custom
protocol and content handlers</a>
<ul class=toc>
- <li><a href="#security3"><span class=secno>4.5.1.1. </span>Security
+ <li><a href="#security4"><span class=secno>4.5.1.1. </span>Security
and privacy</a>
<li><a href="#sample-handler-impl"><span class=secno>4.5.1.2.
@@ -1105,7 +1108,7 @@
<li><a href="#the-location"><span class=secno>4.7.4. </span>The
<code>Location</code> interface</a>
<ul class=toc>
- <li><a href="#security4"><span class=secno>4.7.4.1.
+ <li><a href="#security5"><span class=secno>4.7.4.1.
</span>Security</a>
</ul>
@@ -1187,7 +1190,7 @@
</span>Threads</a>
</ul>
- <li><a href="#security5"><span class=secno>4.10.7. </span>Security and
+ <li><a href="#security6"><span class=secno>4.10.7. </span>Security and
privacy</a>
<ul class=toc>
<li><a href="#user-tracking"><span class=secno>4.10.7.1. </span>User
@@ -1229,7 +1232,7 @@
<li><a href="#privacy"><span class=secno>4.11.7. </span>Privacy</a>
- <li><a href="#security6"><span class=secno>4.11.8. </span>Security</a>
+ <li><a href="#security7"><span class=secno>4.11.8. </span>Security</a>
<ul class=toc>
<li><a href="#user-agents"><span class=secno>4.11.8.1. </span>User
@@ -1396,7 +1399,7 @@
selection</a>
</ul>
- <li><a href="#security7"><span class=secno>5.3.6. </span>Security
+ <li><a href="#security8"><span class=secno>5.3.6. </span>Security
risks in the drag-and-drop model</a>
</ul>
@@ -2590,7 +2593,7 @@
<h4 id=security><span class=secno>2.1.1. </span>Security</h4>
- <p>User agents must raise a <a href="#security8">security exception</a>
+ <p>User agents must raise a <a href="#security9">security exception</a>
whenever any of the members of an <code><a
href="#htmldocument">HTMLDocument</a></code> object are accessed by
scripts whose <a href="#origin0">origin</a> is not the same as the
@@ -2609,7 +2612,7 @@
must return its current value. On setting, if the new value is an allowed
value (as defined below), the attribute's value must be changed to the new
value. If the new value is not an allowed value, then a <a
- href="#security8">security exception</a> must be raised instead.
+ href="#security9">security exception</a> must be raised instead.
<p>A new value is an allowed value for the <code
title=dom-document-domain><a href="#domain">document.domain</a></code>
@@ -16145,15 +16148,6 @@
href="#todataurl">toDataURL()</a></code> to allow authors to more
carefully control compression settings, image metadata, etc.
- <p><strong>Security:</strong> To prevent <em>information leakage</em>, the
- <code title=dom-canvas-toDataURL><a
- href="#todataurl">toDataURL()</a></code> and <code
- title=dom-context-2d-getImageData><a
- href="#getimagedata">getImageData()</a></code> methods should raise a <a
- href="#security8">security exception</a> if the canvas has ever had an
- image painted on it whose <a href="#origin0">origin</a> is different from
- that of the script calling the method.
-
<h5 id=the-2d><span class=secno>3.14.11.1. </span>The 2D context</h5>
<p>When the <code title=dom-canvas-getContext><a
@@ -17788,7 +17782,63 @@
<p class="big-issue">Well, one day.</p>
-->
- <h5 id=color><span class=secno>3.14.11.2. </span>Color spaces and color
+ <h5 id=security1><span class=secno>3.14.11.2. </span>Security with <code><a
+ href="#canvas">canvas</a></code> elements</h5>
+
+ <p><strong>Information leakage</strong> can occur if scripts from one
+ origin are exposed to images from another origin.
+
+ <p>To mitigate this, <code><a href="#canvas">canvas</a></code> elements are
+ defined to have a flag indicating whether they are <i>origin-clean</i>.
+ All <code><a href="#canvas">canvas</a></code> elements must start with
+ their <i>origin-clean</i> set to true. The flag must be set to false if
+ any of the following actions occur:
+
+ <ul>
+ <li>
+ <p>The element's 2D context's <code title=dom-context-2d-drawImage><a
+ href="#drawimage">drawImage()</a></code> method is called with an
+ <code><a href="#htmlimageelement">HTMLImageElement</a></code> whose <a
+ href="#origin0">origin</a> differs from that of the
+ <code>Document</code> object that owns the <code><a
+ href="#canvas">canvas</a></code> element.
+
+ <li>
+ <p>The element's 2D context's <code title=dom-context-2d-drawImage><a
+ href="#drawimage">drawImage()</a></code> method is called with an
+ <code><a href="#htmlcanvaselement">HTMLCanvasElement</a></code> whose
+ <i>origin-clean</i> flag is false.
+
+ <li>
+ <p>The element's 2D context's <code title=dom-context-2d-fillStyle><a
+ href="#fillstyle">fillStyle</a></code> attribute is set to a <code><a
+ href="#canvaspattern0">CanvasPattern</a></code> object that was created
+ from an <code><a href="#htmlimageelement">HTMLImageElement</a></code>
+ whose <a href="#origin0">origin</a> differs from that of the
+ <code>Document</code> object that owns the <code><a
+ href="#canvas">canvas</a></code> element.
+
+ <li>
+ <p>The element's 2D context's <code title=dom-context-2d-fillStyle><a
+ href="#fillstyle">fillStyle</a></code> attribute is set to a <code><a
+ href="#canvaspattern0">CanvasPattern</a></code> object that was created
+ from an <code><a href="#htmlcanvaselement">HTMLCanvasElement</a></code>
+ whose <i>origin-clean</i> flag is false.
+ </ul>
+
+ <p>Whenever the <code title=dom-canvas-toDataURL><a
+ href="#todataurl">toDataURL()</a></code> method of a <code><a
+ href="#canvas">canvas</a></code> element whose <i>origin-clean</i> flag is
+ set to false is called, the method must immediately raise a security
+ exception.
+
+ <p>Whenever the <code title=dom-context-2d-getImageData><a
+ href="#getimagedata">getImageData()</a></code> method of the 2D context of
+ a <code><a href="#canvas">canvas</a></code> element whose
+ <i>origin-clean</i> flag is set to false is called, the method must
+ immediately raise a security exception.
+
+ <h5 id=color><span class=secno>3.14.11.3. </span>Color spaces and color
correction</h5>
<p>The <code><a href="#canvas">canvas</a></code> APIs must perform colour
@@ -25339,9 +25389,9 @@
href="#get" title=dom-item>have an implicit [[Get]] method</a> which
returns <span>nested browsing contexts</span>.
- <h4 id=security1><span class=secno>4.2.1. </span>Security</h4>
+ <h4 id=security2><span class=secno>4.2.1. </span>Security</h4>
- <p>User agents must raise a <a href="#security8">security exception</a>
+ <p>User agents must raise a <a href="#security9">security exception</a>
whenever any of the members of a <code><a href="#window">Window</a></code>
object are accessed by scripts whose <a href="#origin0">origin</a> is not
the same as the <code><a href="#window">Window</a></code> object's <a
@@ -25732,9 +25782,9 @@
<p>Otherwise, the two URIs do have the same scheme/host/port.
</ol>
- <h4 id=security2><span class=secno>4.3.4. </span>Security exceptions</h4>
+ <h4 id=security3><span class=secno>4.3.4. </span>Security exceptions</h4>
- <p class=big-issue>Define <dfn id=security8>security exception</dfn>.
+ <p class=big-issue>Define <dfn id=security9>security exception</dfn>.
<h4 id=javascript-protocol><span class=secno>4.3.5. </span><dfn
id=the-javascript title="javascript protocol">The <code
@@ -26534,7 +26584,7 @@
the user what the site in question is.</p>
</dl>
- <p>User agents should raise <a href="#security8" title="security
+ <p>User agents should raise <a href="#security9" title="security
exception">security exceptions</a> if the methods are called with <var
title="">protocol</var> or <var title="">mimeType</var> values that the UA
deems to be "privileged". For example, a site attempting to register a
@@ -26562,7 +26612,7 @@
non-idempotent transaction), as the remote site would not be able to fetch
the same data.
- <h5 id=security3><span class=secno>4.5.1.1. </span>Security and privacy</h5>
+ <h5 id=security4><span class=secno>4.5.1.1. </span>Security and privacy</h5>
<p>These mechanisms can introduce a number of concerns, in particular
privacy concerns.
@@ -27910,7 +27960,7 @@
<li>
<p>If <var title="">uri</var> has a different <scheme> component than
- the manifest's URI, then raise a <a href="#security8">security
+ the manifest's URI, then raise a <a href="#security9">security
exception</a>.
<li>
@@ -28425,7 +28475,7 @@
hierarchical <scheme>). If the verification fails (either because
the argument is syntactically incorrect, or differs in a way not described
as acceptable in the previous sentence) then the user agent must raise a
- <a href="#security8">security exception</a>. <a
+ <a href="#security9">security exception</a>. <a
href="#refsRFC3986">[RFC3986]</a> <a href="#refsRFC3987">[RFC3987]</a>
<p>If the third argument passes its verification step, or if the third
@@ -28630,9 +28680,9 @@
user reload must be equivalent to .reload()
-->
- <h5 id=security4><span class=secno>4.7.4.1. </span>Security</h5>
+ <h5 id=security5><span class=secno>4.7.4.1. </span>Security</h5>
- <p>User agents must raise a <a href="#security8">security exception</a>
+ <p>User agents must raise a <a href="#security9">security exception</a>
whenever any of the members of a <code><a
href="#location2">Location</a></code> object are accessed by scripts whose
<a href="#origin0">origin</a> is not the same as the <code><a
@@ -30394,7 +30444,7 @@
execution. This specification does not require any particular
implementation strategy, so long as the requirement above is met.
- <h4 id=security5><span class=secno>4.10.7. </span>Security and privacy</h4>
+ <h4 id=security6><span class=secno>4.10.7. </span>Security and privacy</h4>
<h5 id=user-tracking><span class=secno>4.10.7.1. </span>User tracking</h5>
@@ -31094,7 +31144,7 @@
way as cookies for the purposes of user interfaces, to reduce the risk of
using this feature for cookie resurrection.
- <h4 id=security6><span class=secno>4.11.8. </span>Security</h4>
+ <h4 id=security7><span class=secno>4.11.8. </span>Security</h4>
<h5 id=user-agents><span class=secno>4.11.8.1. </span>User agents</h5>
@@ -33944,7 +33994,7 @@
<p>If the contents of the selection cannot be represented as text or URIs,
then the paste operation must not have any effect.
- <h4 id=security7><span class=secno>5.3.6. </span>Security risks in the
+ <h4 id=security8><span class=secno>5.3.6. </span>Security risks in the
drag-and-drop model</h4>
<p>User agents must not make the data added to the <code><a
@@ -35679,7 +35729,7 @@
<p>First, if the domain part of the script's <a href="#origin0">origin</a>
is not a host name (e.g. it is an IP address) then the UA must raise a <a
- href="#security8">security exception</a>. <span class=issue>We currently
+ href="#security9">security exception</a>. <span class=issue>We currently
don't allow connections to be set up back to an originating IP address,
but we could, if the subdomain is the empty string.</span>
@@ -35699,15 +35749,15 @@
65535,
</ul>
- <p>...then the UA must raise a <a href="#security8">security exception</a>.</p>
+ <p>...then the UA must raise a <a href="#security9">security exception</a>.</p>
<!-- XXX we should have our own port for this too, e.g. 980 -->
<p>Otherwise, the user agent must verify that the <a href="#the-string">the
string representing the script's domain in IDNA format</a> can be obtained
without errors. If it cannot, then the user agent must raise a <a
- href="#security8">security exception</a>.
+ href="#security9">security exception</a>.
- <p>The user agent may also raise a <a href="#security8">security
+ <p>The user agent may also raise a <a href="#security9">security
exception</a> at this time if, for some reason, permission to create a
direct TCP connection to the relevant host is denied. Reasons could
include the UA being instructed by the user to not allow direct
@@ -35769,7 +35819,7 @@
href="#network1">network</a></code> attribute of the object must be set to
<a href="#the-string">the string representing the script's domain in IDNA
format</a>. If this string cannot be obtained, then the user agent must
- raise a <a href="#security8">security exception</a> exception when the
+ raise a <a href="#security9">security exception</a> exception when the
constructor is called.
<p>The <code title=dom-Connection-peer><a href="#peer">peer</a></code>
@@ -35777,7 +35827,7 @@
<p>The object must then be returned, unless, for some reason, permission to
broadcast on the local network is to be denied. In the latter case, a <a
- href="#security8">security exception</a> must be raised instead. User
+ href="#security9">security exception</a> must be raised instead. User
agents may deny such permission for any reason, for example a user
preference.
@@ -35908,7 +35958,7 @@
href="#network1">network</a></code> attribute of the object must be set to
<a href="#the-string">the string representing the script's domain in IDNA
format</a>. If this string cannot be obtained, then the user agent must
- raise a <a href="#security8">security exception</a> exception when the
+ raise a <a href="#security9">security exception</a> exception when the
constructor is called.
<p>The <code title=dom-Connection-peer><a href="#peer">peer</a></code>
@@ -35917,7 +35967,7 @@
<p>The object must then be returned, unless, for some reason, permission to
establish peer-to-peer connections is generally disallowed, for example
due to administrator settings. In the latter case, a <a
- href="#security8">security exception</a> must be raised instead.
+ href="#security9">security exception</a> must be raised instead.
<p>The user agent must then, typically while the script resumes execution,
find a remote host to establish a connection to. To do this it must start
Modified: source
===================================================================
--- source 2008-02-01 05:50:15 UTC (rev 1191)
+++ source 2008-02-01 06:41:50 UTC (rev 1192)
@@ -13697,15 +13697,7 @@
more carefully control compression settings, image metadata,
etc.</p>
- <p><strong>Security:</strong> To prevent <em>information
- leakage</em>, the <code
- title="dom-canvas-toDataURL">toDataURL()</code> and <code
- title="dom-context-2d-getImageData">getImageData()</code> methods
- should raise a <span>security exception</span> if the canvas has
- ever had an image painted on it whose <span>origin</span> is
- different from that of the script calling the method.</p>
-
<h5>The 2D context</h5>
<p>When the <code title="dom-canvas-getContext">getContext()</code>
@@ -15392,7 +15384,59 @@
-->
+ <h5>Security with <code>canvas</code> elements</h5>
+ <p><strong>Information leakage</strong> can occur if scripts from
+ one origin are exposed to images from another origin.</p>
+
+ <p>To mitigate this, <code>canvas</code> elements are defined to
+ have a flag indicating whether they are <i>origin-clean</i>. All
+ <code>canvas</code> elements must start with their
+ <i>origin-clean</i> set to true. The flag must be set to false if
+ any of the following actions occur:</p>
+
+ <ul>
+
+ <li><p>The element's 2D context's <code
+ title="dom-context-2d-drawImage">drawImage()</code> method is
+ called with an <code>HTMLImageElement</code> whose
+ <span>origin</span> differs from that of the <code>Document</code>
+ object that owns the <code>canvas</code> element.</p></li>
+
+ <li><p>The element's 2D context's <code
+ title="dom-context-2d-drawImage">drawImage()</code> method is
+ called with an <code>HTMLCanvasElement</code> whose
+ <i>origin-clean</i> flag is false.</p></li>
+
+ <li><p>The element's 2D context's <code
+ title="dom-context-2d-fillStyle">fillStyle</code> attribute is set
+ to a <code>CanvasPattern</code> object that was created from an
+ <code>HTMLImageElement</code> whose <span>origin</span> differs
+ from that of the <code>Document</code> object that owns the
+ <code>canvas</code> element.</p></li>
+
+ <li><p>The element's 2D context's <code
+ title="dom-context-2d-fillStyle">fillStyle</code> attribute is set
+ to a <code>CanvasPattern</code> object that was created from an
+ <code>HTMLCanvasElement</code> whose <i>origin-clean</i> flag is
+ false.</p></li>
+
+ </ul>
+
+ <p>Whenever the <code
+ title="dom-canvas-toDataURL">toDataURL()</code> method of a
+ <code>canvas</code> element whose <i>origin-clean</i> flag is set to
+ false is called, the method must immediately raise a security
+ exception.</p>
+
+ <p>Whenever the <code
+ title="dom-context-2d-getImageData">getImageData()</code> method of
+ the 2D context of a <code>canvas</code> element whose
+ <i>origin-clean</i> flag is set to false is called, the method must
+ immediately raise a security exception.</p>
+
+
+
<h5>Color spaces and color correction</h5>
<p>The <code>canvas</code> APIs must perform colour correction at
More information about the Commit-Watchers
mailing list