[whatwg] Canvas and drawWindow
ian at hixie.ch
Thu May 12 20:23:30 PDT 2011
On Thu, 12 May 2011, Aryeh Gregor wrote:
> On Thu, May 12, 2011 at 1:58 AM, Ian Hickson <ian at hixie.ch> wrote:
> > This is something that is rife with serious security concerns:
> > exposing history, the potential for cross-origin data leakage,
> > introspecting spelling-checker user dictionaries, inspecting data that
> > is otherwise hidden such as user theme preferences or file input
> > paths...
> > This is not something to undertake lightly. Even if we found a way to
> > actually determine when to taint a drawn image,
> Easy: always. I don't believe for a second that you're going to get it
> secure otherwise. Any user preference that affects display enables
> fingerprinting. Any link whose appearance would vary based on whether
> it's visited would have to taint it (in browsers like Firefox that have
> any security in that respect to start with). Any text input, as you
> note, would leak spellcheck info. This is even if there's no
> cross-origin content on the page at all. The only possible way you
> could do this is by constructing an entirely separate fake image that
> has all identifying information removed -- you're never going to be able
> to provide a real screenshot (unless the fake one happens to
> coincidentally match the real one).
> > we could never allow such data to be uploaded to a server or reused in
> > WebGL (due to the shader timing attacks).
> Why would it be any worse than cross-origin images?
It wouldn't. If you can't use the data from a painted image, though, it
doesn't leave many useful use cases. The main use cases I'm aware of are
for interleaving content into a 3D scene, allowing the user to report a
problem on the page in a bug-reporting tool, and showing cached previews.
None are possible if we taint the canvas.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg