11955 – The canvas should be tainted when drawing text with a cross-origin font (unless CORS was used to allow it)

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 11955 - The canvas should be tainted when drawing text with a cross-origin font (unless CORS was used to allow it)

Summary: The canvas should be tainted when drawing text with a cross-origin font (unle...

Status:	RESOLVED FIXED

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	LC1 HTML Canvas 2D Context (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	---
Assignee:	Ian 'Hixie' Hickson
QA Contact:	HTML WG Bugzilla archive list

URL:	http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-02-02 11:00 UTC by contributor
Modified:	2011-08-04 05:04 UTC (History)
CC List:	7 users (show)

See Also:

Attachments

Description contributor 2011-02-02 11:00:26 UTC

Specification: http://www.whatwg.org/specs/web-apps/current-work/complete/the-canvas-element.html
Section: http://www.whatwg.org/specs/web-apps/current-work/complete.html#dom-context-2d-filltext

Comment:
The canvas should be tainted when drawing text with a cross-origin font
(unless CORS was used to allow it)

Posted from: 88.131.66.80 by simonp@opera.com

Comment 1 Ian 'Hixie' Hickson 2011-02-11 01:48:58 UTC

I've done this, but if we're worried about fonts leaking information, this is not going to stop it. You can already measure glyphs using regular CSSOM mechanisms like .clientWidth, for instance.

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Accepted
Change Description: see diff given below
Rationale: Concurred with reporter's comments.

Comment 2 contributor 2011-02-11 01:49:11 UTC

Checked in as WHATWG revision r5873.
Check-in comment: Make sure cross-origin fonts can't leak data via <canvas>.
http://html5.org/tools/web-apps-tracker?from=5872&to=5873

Comment 3 Jonas Sicking (Not reading bugmail) 2011-02-11 02:01:15 UTC

Disclaimer: The outcome of this bug doesn't matter to gecko one way or another since we don't allow cross-origin fonts at all unless CORS is used. So fixing our code to align with this change is a no-op.

This seems to close the window when the door is already opened. As you point out, you can get lots of information using CSSOM, and likely more as time goes on. Additionally, using things like pointer-events and SVG filters, you can get the actual pixel data in the font too.

So the result of this bug seems to be solely to require implementations to add code. No actual security or privacy improvements are archived.

The only benefit I can see is if is there is a long term plan to close the other holes too. Is that the case?

Comment 4 Michael[tm] Smith 2011-08-04 05:04:18 UTC

mass-move component to LC1