[whatwg] Canvas and drawWindow
emoller at opera.com
Fri Mar 11 08:35:33 PST 2011
I bet this has been discussed before, but I'm curious as to what people
think about breathing some life into a more general version of Mozillas
canvas.drawWindow() that draws a snapshot of a DOM window into the canvas?
I know there are some security considerations (for example listed in the
source of drawWindow):
// We can't allow web apps to call this until we fix at least the
// following potential security issues:
// -- rendering cross-domain IFRAMEs and then extracting the results
// -- rendering the user's theme and then extracting the results
// -- rendering native anonymous content (e.g., file input paths;
// scrollbars should be allowed)
I'm no security expert, but it seems to me there's an easy way to at least
cater for some of the use-cases by always setting origin-clean to false
when you use drawWindow(). Sure it's a bit overkill to always mark it
dirty, but it's simple and would block you from reading any of the pixels
back which would address most (all?) of the security concerns.
I'm doing a WebGL demo, so the use-case I have for this would be to render
a same-origin page to a canvas and smack that on a monitor in the
3d-world. Intercept mouse clicks, transform them into 2d and passing them
on would of course be neat as well and probably opens up the use-cases you
could dream up.
So, I'm well aware its a tad unconventional, but perhaps someone has a
better idea of how something like this could be accomplished... i.e. via
SVG and foreignObject or punching a hole in the canvas and applying a
transform etc. I'd like to hear your thoughts.
More information about the whatwg