[whatwg] Canvas and drawWindow

Erik Möller emoller at opera.com
Fri Mar 11 08:35:33 PST 2011

I bet this has been discussed before, but I'm curious as to what people  
think about breathing some life into a more general version of Mozillas  
canvas.drawWindow() that draws a snapshot of a DOM window into the canvas?

I know there are some security considerations (for example listed in the  
source of drawWindow):

  // We can't allow web apps to call this until we fix at least the
  // following potential security issues:
  // -- rendering cross-domain IFRAMEs and then extracting the results
  // -- rendering the user's theme and then extracting the results
  // -- rendering native anonymous content (e.g., file input paths;
  // scrollbars should be allowed)

I'm no security expert, but it seems to me there's an easy way to at least  
cater for some of the use-cases by always setting origin-clean to false  
when you use drawWindow(). Sure it's a bit overkill to always mark it  
dirty, but it's simple and would block you from reading any of the pixels  
back which would address most (all?) of the security concerns.

I'm doing a WebGL demo, so the use-case I have for this would be to render  
a same-origin page to a canvas and smack that on a monitor in the  
3d-world. Intercept mouse clicks, transform them into 2d and passing them  
on would of course be neat as well and probably opens up the use-cases you  
could dream up.

So, I'm well aware its a tad unconventional, but perhaps someone has a  
better idea of how something like this could be accomplished... i.e. via  
SVG and foreignObject or punching a hole in the canvas and applying a  
transform etc. I'd like to hear your thoughts.

Erik Möller
Core Developer
Opera Software

More information about the whatwg mailing list