[whatwg] Canvas 2D Context Proposal: resetOriginClean
chuck at jumis.com
Thu Jul 29 15:44:53 PDT 2010
On 7/29/2010 3:37 PM, Ian Hickson wrote:
> On Tue, 20 Apr 2010, Charles Pritchard wrote:
>> There does not seem to be a standard method of requesting elevated
>> permissions where local file access or cross-domain file access is
> Requesting permissions from whom? The user is not in any place to make
> educated decisions about such things, the user agent can't know what's
> secure ahead of time, and the author can't be trusted. That doesn't leave
> many people. :-)
At the time, I was looking for a usable method of providing the user the
paste the URL of an image resource, and load it for manipulation with
This lead to further discussion, bringing up the fact that CORS has not
really been implemented
for use with Canvas, via drawImage.
I then realized that my best route of implementation is an
XMLHttpRequest, followed by
base64 encoding, then loading that data through the <img> tag.
Unfortunately, base64 encoding of binary is really terrible in Firefox;
seem to be written without much enthusiasm for large strings.
We'd want to use XMLHttpRequest anyway, so that we can store the
original image data
in offline storage. Otherwise, by grabbing the image data from a canvas
tag, we end up
with a large png file, when we could be saving the original jpg image.
Again, this circles around issues with Blob handling, more than it does
as XMLHttpRequest does support CORS, and is still our only widely
of dealing with streams.
>> Currently, one must create a duplicate origin-clean Canvas element to
>> copy image data from a dirty element after privilege escalation.
> What is "privilege escalation"?
In this case, a user giving the script permission to clear the
>> Proposed method:
>> throws SECURITY_ERR exception
>> When resetOriginClean is executed, an implementation shall request
>> elevated privileges, and if granted, set the origin-clean flag of the
>> canvas element to true.
> What's the use case?
There are some warnings in browsers for other security items:
"This HTTPS Certificate is not valid, Continue / Cancel"
It does set a precedent for prompts like:
"This domain kitties4life.com is trying to access an image from
flickr.com, Continue / Cancel".
But, as I've said, using CORS is a far better alternative;
and using XMLHttpRequest isn't completely absurd, provided there were
a clean route for managing the data.
> On Fri, 23 Apr 2010, Charles Pritchard wrote:
>> Has there been progress on enabling Canvas origin-clean with
>> Cross-Origin Resource Sharing?
> The plan is to start using CORS once it's well-established in XHR2.
More information about the whatwg