This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
In section: 4.8.11.2 Security with canvas elements While the origin-clean flag is a very sensible addition; no provision has been specified for CORS. This means if image downloads are parallelized across subdomians or via a CDN for performance toDataURL is prevented by a security execption due to the false origin-clean flag. Which is very problematic... Currently Chrome is the only browser that seems to respect CORS for canvas toDataURL and maintaining the origin-clean flag as true. This works by providing the two HTTP headers: access-control-allow-origin:domain access-control-allow-credentials:false Can this be added to the HTML5 spec to hopefully cause greater adoption in other browsers? At the moment our method of handling this is to catch the exception and put up a popup saying this functionality only works in Chrome; which isn't ideal.
The spec provides a crossorigin attribute for this purpose (specifically to trigger CORS for the image load), right? Last I checked both Chrome and Gecko have added support for that.
(In reply to comment #1) > The spec provides a crossorigin attribute for this purpose (specifically to > trigger CORS for the image load), right? Last I checked both Chrome and Gecko > have added support for that. Ah... I think I picked the wrong bit of the spec - its the Same Origin test pseudo code that doesn't mention CORS (even though CORS is specified above for images) It doesn't seem to work in FireFox http://dev.w3.org/html5/spec/Overview.html#same-origin Two origins are said to be the same origin if the following algorithm returns true: Let A be the first origin being compared, and B be the second origin being compared. If A and B are both opaque identifiers, and their value is equal, then return true. Otherwise, if either A or B or both are opaque identifiers, return false. If A and B have scheme components that are not identical, return false. If A and B have host components that are not identical, return false. If A and B have port components that are not identical, return false. If either A or B have additional data, but that data is not identical for both, return false. Return
Ah, had missed the crossorgin attribute, will give that a go...
(In reply to comment #3) > Ah, had missed the crossorgin attribute, will give that a go... Sorry we were using the crossorgin attribute; might be doing something wrong but here's an example: http://www.illyriad.co.uk/CORSTest.htm Works in Chrome (13.0.782.220) Security error in Firefox 6.0.2, IE9, Opera 11.50, Safari (PC 5.1)
@crossorigin support was added for Firefox 8. You can test an Aurora build at http://www.mozilla.org/en-US/firefox/channel/ that has that change. That said, looks like so far Firefox only allows CORS to loosen cross-origin restrictions for WebGL texture images. I filed https://bugzilla.mozilla.org/show_bug.cgi?id=685518 on doing it for 2d canvas contexts too.
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Accepted Change Description: no spec change Rationale: This seems to have been fixed already, as noted by bz above. Please let me know if there is anything I can do in the spec to make this clearer.
(In reply to comment #6) > EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are > satisfied with this response, please change the state of this bug to CLOSED. If > you have additional information and would like the editor to reconsider, please > reopen this bug. If you would like to escalate the issue to the full HTML > Working Group, please add the TrackerRequest keyword to this bug, and suggest > title and text for the tracker issue; or you may create a tracker issue > yourself, if you are able to do so. For more details, see this document: > http://dev.w3.org/html5/decision-policy/decision-policy.html > > Status: Accepted > Change Description: no spec change > Rationale: This seems to have been fixed already, as noted by bz above. Please > let me know if there is anything I can do in the spec to make this clearer. The fix was only for 3d canvas in Firefox. As shown by this link http://www.illyriad.co.uk/CORSTest.htm As all browsers other than Chrome fail when using toDataURL on 2d canvas when cross-domain images and valid CORS headers are used, I was hoping it could be made clearer in the spec (since it is _so_ widespread). Perhaps a caveat in the same-origin section to say be aware to pay attention to CORS when something fails the same-orgin test before applying security restrictions. Or in the Security with canvas elements to explicitly state to pay attention to CORS when setting the orgin-clean flag to false?
It's a very new feature, I wouldn't expect browsers to all do it yet. They'll get there. It's more likely to happen if you file bugs on the browsers that don't do it than if I add text to the spec
> The fix was only for 3d canvas in Firefox. 2d canvas was fixed in Gecko a month and a half ago. See <https://bugzilla.mozilla.org/show_bug.cgi?id=685518>. > http://www.illyriad.co.uk/CORSTest.htm Works fine in Nightly or Aurora Firefox builds. None of that is a spec issue; the spec was just fine. Just a matter of limited implementation resources.
(In reply to comment #8) > It's a very new feature, I wouldn't expect browsers to all do it yet. They'll > get there. It's more likely to happen if you file bugs on the browsers that > don't do it than if I add text to the spec