This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
I can't currently find the text that defines how tainting works, but I seem to recall that the spec recently defined that if text was drawn using a cross-site font which was loaded without CORS opt-in, then the canvas should be tainted as to prevent getting pixel data from it. However this needs to happen also if such a font wasn't actually used to draw into the canvas, but was attempted to be used. I.e. if you do something like cx.font = "fontA, fontB"; cx.fillText(str, 0, 0); if fontA is a non-CORS cross-site font, but fontB isn't. Even if the text ends up being drawn using only fontB, that leaks information about which characters are in fontA and thus the canvas should be tainted.
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Accepted Change Description: see diff given below Rationale: Well, ok, but seriously, who's putting sensitive information into a font that's so sensitive that the very presence of a character gives something away? It's not like non-font files are going to accidentally be interpreted as fonts, either, this information has to have actually been put in a font somehow.
Checked in as WHATWG revision r6105. Check-in comment: taint canvas if we even _consider_ a cross-site font http://html5.org/tools/web-apps-tracker?from=6104&to=6105
mass-move component to LC1