[whatwg] Minor addition/rewording for canvas section

[Anne van Kesteren]

On Sun, 13 Jan 2008 14:13:52 +0100, Oliver Hunt <oliver at apple.com> wrote:
> I did wonder about why other origins could read anything myself, so  
> you're not alone -- it just seemed especially odd to allow images to be  
> written safely but not ImageData.

ImageData is always safe as you create it yourself.

The specification should also mention that drawing <img  
src=data:image/png,...>  on the <canvas> is safe so that you can actually  
roundtrip data through the server. The SVG case here is slightly more  
complex so maybe it's better to have a definition of a "safe  
HTMLImageElement".


> I'm as yet unsure whether a separate origin should be able to write -- i  
> have nothing to back this up with but it seems that you could  
> potentially right to a canvas from a separate domain to make the canvas  
> look like something it wasn't -- but i'm not familiar enough with the  
> other origin related policies in html5 to be able to say anything  
> meaningful.

Cross-document messaging only allows passing through strings.


> I only noticed this as i was looking at the ImageData portion of the  
> spec just now :D

Would be nice if you guys implemented it :-)


> I assume there was a reason that reading from the canvas from another  
> origin is ever allowed, but I can't think of what it might be -- any  
> thoughts/recollections from others would be well received :D

I don't think this is possible. The security model is pretty simple.  
HTMLImageElement is either safe or unsafe. HTMLCanvasElement is also  
either safe (default) or unsafe. CanvasPattern is, again, either safe or  
unsafe. Once you draw an unsafe HTMLImageElement, HTMLCanvasElement, or  
CanvasPattern on an HTMLCanvasElement you mark the HTMLCanvasElement as  
unsafe. The toDataURL() and getImageData() functions throw for an unsafe  
HTMLCanvasElement.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>