[whatwg] "offscreen canvas" /Access to canvas functionality from a worker

Dmitry Titov dimich at google.com
Thu Dec 10 14:12:10 PST 2009

On Thu, Dec 10, 2009 at 1:36 PM, Oliver Hunt <oliver at apple.com> wrote:

> Additionally there's the question of origin tainting -- is it possible to
> taint the origin in a worker? you don;t have image elements, you can't xhr
> unsafely to other origins, but maybe i'm missing something?

Is origin tainting relevant here because we want to make sure the image
being processed before upload does not get sent to malicious site by
the compromised worker script? It seems UA should taint the connected
documents once worker gets tainted.

There is importScript that can go cross-origin, just like <script> tag.
Going to http or different origin should trigger 'mixed content' indication
in UA for all pages connected to worker. XHR is SOP but there are bad SSL
certs. Normally the workers XHR would silently fail if received a bad SSL
cert response, but if the user previously replied "trust the site anyways"
on the scary dialog while visiting the site, I think the access from worker
then goes through with bad cert, since user already 'approved' it for the
whole origin.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20091210/1ab37fc4/attachment-0002.htm>

More information about the whatwg mailing list