- From: <bugzilla@jessica.w3.org>
- Date: Tue, 02 Nov 2010 20:29:01 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11203
Summary: Canvas security model does not allow for same-origin
relaxation
Product: HTML WG
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: HTML Canvas 2D Context (editor: Ian Hickson)
AssignedTo: ian@hixie.ch
ReportedBy: matt.schemmel@gmail.com
QAContact: public-html-bugzilla@w3.org
CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
public-html@w3.org
There appears to be a gap in the security model specification between the
'canvas' and 'script' elements.
The canvas security model
http://www.w3.org/TR/html5/the-canvas-element.html#security-with-canvas-elements
offers no way to relax the security check from "same origin" to "effective
script origin", as defined here
http://www.w3.org/TR/html5/origin-0.html#relaxing-the-same-origin-restriction
More accurately, there appears to be no way for the canvas context to use an
effective script origin other than the actual origin of the resource. This
prevents any use of the canvas interface by scripts sourced from a Document
with a relaxed domain.
The HTML5 specification has been carefully implemented in the Mozilla project,
and it is clear to see the effect: scripts that use the canvas API to filter
images from host.domain.com fail on Firefox 3.x, where they operate
successfully using Chrome, IE, etc.
Goal of this request is to introduce an effective-script-origin analogue for
the canvas element, perhaps by introducing a method to set the effective script
of the canvas object similar to document.domain for the Document.
--
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Tuesday, 2 November 2010 20:29:02 UTC