[whatwg] Canvas and drawWindow

Robert O'Callahan robert at ocallahan.org
Mon Mar 14 20:05:14 PDT 2011


On Sat, Mar 12, 2011 at 5:56 AM, Tab Atkins Jr. <jackalmage at gmail.com>wrote:

> I think we should be closing the <svg>/<foreignObject> hole, not
> expanding it as the primary way to smuggle in drawWindow
> functionality.  ^_^
>

I actually think svg image + foreignobject is an OK way to smuggle in the
functionality of rendering HTML fragments to a canvas :-). In Gecko, to
solve various security problems we've made SVG images be a very restrictive
browsing context, which can't for example load any subresource other than
data: URIs. The elements of an SVG image also can't receive input events.
Those measures alone neutralize a lot of the problems with drawWindow.
Unlike IFRAMEs, pages can't reach into the DOM of SVG images to get around
those restrictions. We can make SVG image documents never honor :visited
selectors.

Rob
-- 
"Now the Bereans were of more noble character than the Thessalonians, for
they received the message with great eagerness and examined the Scriptures
every day to see if what Paul said was true." [Acts 17:11]


More information about the whatwg mailing list