Open
Bug 693051
Opened 12 years ago
Updated 6 months ago
Taint the canvas when setting fillStyle/strokeStyle to a pattern with a cross-origin image
Categories
(Core :: Graphics: Canvas2D, defect)
Core
Graphics: Canvas2D
Tracking
()
NEW
People
(Reporter: Ms2ger, Unassigned)
References
Details
Tested by http://www.w3c-test.org/html/tests/submission/PhilipTaylor/canvas/security.pattern.canvas.fillStyle.html http://www.w3c-test.org/html/tests/submission/PhilipTaylor/canvas/security.pattern.canvas.strokeStyle.html http://www.w3c-test.org/html/tests/submission/PhilipTaylor/canvas/security.pattern.image.fillStyle.html http://www.w3c-test.org/html/tests/submission/PhilipTaylor/canvas/security.pattern.image.strokeStyle.html
|
Reporter | |
Comment 1•12 years ago
|
||
Or actually: http://test.w3.org//html/tests/submission/PhilipTaylor/canvas/security.pattern.canvas.fillStyle.html http://test.w3.org//html/tests/submission/PhilipTaylor/canvas/security.pattern.canvas.strokeStyle.html http://test.w3.org//html/tests/submission/PhilipTaylor/canvas/security.pattern.image.fillStyle.html http://test.w3.org//html/tests/submission/PhilipTaylor/canvas/security.pattern.image.strokeStyle.html
|
|
Reporter | |
Updated•12 years ago
|
Summary: Taint the canvas when setting fillStyle/ to a pattern with a cross-origin image → Taint the canvas when setting fillStyle/strokeStyle to a pattern with a cross-origin image
|
||
Comment 2•12 years ago
|
||
Hmm. So right now taint the canvas only if the tainted pattern is used to actually draw anything (so on the next fill/stroke/whatever). The test expects to taint just on the style set. Is that what the spec calls for? If so, why?
|
|
Reporter | |
Comment 3•12 years ago
|
||
Yeah, see <http://www.whatwg.org/html/#security-with-canvas-elements>. As for why, I don't know. See <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-January/013831.html> and <http://html5.org/tools/web-apps-tracker?from=1191&to=1192> for the addition of that section; it hasn't changes significantly since.
|
|
||
Comment 4•12 years ago
|
||
> As for why, I don't know.
Well, does the spec make sense in this case? Should we push back on it?|
|
||
Comment 5•12 years ago
|
||
I filed http://www.w3.org/Bugs/Public/show_bug.cgi?id=14502
|
|
Reporter | |
Comment 6•12 years ago
|
||
I think either is fine, but document.domain scares me.
|
|
||
Comment 7•12 years ago
|
||
I _think_ the current spec wording says that document.domain should be ignored for purposes of the same-origin check. That's not what we implement right now, of course...
|
|
||
Comment 8•12 years ago
|
||
Hixie sort of likes the spec as it is, and the other UAs are apathetic (except WebKit, which is too apathetic to even say so). I'm going to stop spending time on this, but it might be good to check with whoever wrote this code why we did it that way..
|
||
Comment 9•7 years ago
|
||
i'm currently working on web-platform test failures and i came across the fillStyle/strokeStyle tests. the spec still says that the fillStyle setter should set the origin-clean flag if it uses a cross-origin image. is it worth working on matching the spec, or should an issue be raised with w3 again?
Flags: needinfo?(bzbarsky)
|
|
||
Comment 10•7 years ago
|
||
The issue with the W3C is still open. The current spec involves entry globals, which Domenic is trying to minimize the use of, so there is a very good chance the spec will change. It's certainly not worth working on matching the spec without talking to Domenic first. See in particular https://github.com/whatwg/html/issues/1431 which explicitly lists the security checks in question as problematic.
Flags: needinfo?(bzbarsky)
|
||
Updated•6 months ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•