[whatwg] Canvas 2D Context Proposal: resetOriginClean

Charles Pritchard chuck at jumis.com
Tue Apr 20 04:18:32 PDT 2010


Issue:
There does not seem to be a standard method of requesting elevated 
permissions
where local file access or cross-domain file access is required.

Consequence:
Currently, one must create a duplicate origin-clean Canvas element
to copy image data from a dirty element after privilege escalation.


Proposed method:
CanvasRenderingContext2D
    resetOriginClean
throws SECURITY_ERR  exception

When resetOriginClean is executed, an implementation shall request elevated
privileges, and if granted, set the origin-clean flag of the canvas 
element to true.


Background:

Section 4.8.10.3 Security with canvas  elements

Information leakage can occur if scripts from one origin  can access 
information (e.g. read pixels) from images from another origin (one that 
isn't the same).
To mitigate this, canvas elements are defined to have a flag indicating 
whether they are origin-clean. All canvas elements must start with their 
origin-clean set to true.


-Charles



More information about the whatwg mailing list