[whatwg] Canvas spec issues

Philip Taylor excors+whatwg at gmail.com
Mon May 14 19:24:09 PDT 2007 

On 15/05/07, Ian Hickson <ian at hixie.ch> wrote:
> On Wed, 4 Apr 2007, Philip Taylor wrote:
> >
> > Relating to data: URLs:
> >
> > "To prevent information leakage, the toDataURL() and getImageData()
> > methods should raise a security exception if the canvas ever had images
> > painted on it that originate from a domain other than the domain of the
> > script that painted the images onto the canvas." - is it true/obvious
> > that an image from a data: URL doesn't originate from any domain at all
> > and so it should be allowed?
>
> No, it's neither true nor obvious (nor is it obvious that it isn't true).
>
> I tried to make this clearer recently though, let me know if it's still
> confusing.

When I trying working out what it says now: I see

    "Security: To prevent information leakage, the toDataURL() and
getImageData() methods should raise a security exception if the canvas
has ever had an image painted on it whose origin is different from
that of the script calling the method."

and "origin" says (among other things)

    "The origin of a Document or image that was generated from a data:
URI found in another Document or in a script is the origin of the that
Document or script."

so I think:

    var dataURL = canvas.toDataURL(); // dataURL is just a string
    var img = new Image();
    img.src = dataURL; // img is an image that was generated from a
data: URI found in this Document, so its origin is the origin of this
Document
    img.onload = function() {
        ctx.drawImage(img, 0, 0); // img has the same origin as this
script (since the origin of this script is the origin of this
Document)
        canvas.toDataURL(); // ...so it's fine to call this again
    }

(I'm hoping that's true, so I could say
    function save(ctx, name) {
        globalStorage[document.domain][name] = ctx.canvas.toDataURL();
    }
    function load(ctx, name) {
        var img = new Image();
        img.src = globalStorage[document.domain][name];
        img.onload = function() { ctx.drawImage(img, 0, 0); };
    }
and be allowed to save after loading.)

> > The colour parsing refers to [CSS3COLOR]. No profile is described, so
> > presumably all of CSS3 Color should be supported. In that case: what
> > should "currentColor" do, since its CSS definition makes no sense here?
>
> It makes sense -- it's the value of the 'color' property.

The 'color' property of the <canvas> element?

-- 
Philip Taylor
excors at gmail.com

More information about the whatwg mailing list