[whatwg] Canvas and drawWindow

Ian Hickson ian at hixie.ch
Thu May 12 20:23:30 PDT 2011

On Thu, 12 May 2011, Aryeh Gregor wrote:
> On Thu, May 12, 2011 at 1:58 AM, Ian Hickson <ian at hixie.ch> wrote:
> > This is something that is rife with serious security concerns: 
> > exposing history, the potential for cross-origin data leakage, 
> > introspecting spelling-checker user dictionaries, inspecting data that 
> > is otherwise hidden such as user theme preferences or file input 
> > paths...
> >
> > This is not something to undertake lightly. Even if we found a way to 
> > actually determine when to taint a drawn image,
> Easy: always.  I don't believe for a second that you're going to get it 
> secure otherwise.  Any user preference that affects display enables 
> fingerprinting.  Any link whose appearance would vary based on whether 
> it's visited would have to taint it (in browsers like Firefox that have 
> any security in that respect to start with).  Any text input, as you 
> note, would leak spellcheck info.  This is even if there's no 
> cross-origin content on the page at all.  The only possible way you 
> could do this is by constructing an entirely separate fake image that 
> has all identifying information removed -- you're never going to be able 
> to provide a real screenshot (unless the fake one happens to 
> coincidentally match the real one).
> > we could never allow such data to be uploaded to a server or reused in 
> > WebGL (due to the shader timing attacks).
> Why would it be any worse than cross-origin images?

It wouldn't. If you can't use the data from a painted image, though, it 
doesn't leave many useful use cases. The main use cases I'm aware of are 
for interleaving content into a 3D scene, allowing the user to report a 
problem on the page in a bug-reporting tool, and showing cached previews. 
None are possible if we taint the canvas.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list