Reputation: 742
HTML5 Canvas cross-domain security issue
What specifically are the security issues that arise by allowing cross-domain image data to be manipulated?
I know that if you have access to both domains you can allow it. I'm wondering why it would be ill-advised to load in Facebook / Instagram images into a canvas to manipulate.
Note that attempting this locally won't work, must run on localhost or on a server.
Upvotes: 0
Views: 609
Answers (1)
Reputation: 20057
I don't think the security issue is in manipulation -- it's in reading or capturing a screenshot from another page. A variation of the theme is reading raw pixels from an image, that is intended to be displayed, but not for OCR... (e.g. some bank account secrets.)
http://www.contextis.com/resources/blog/webgl2/
From the start WebGL implementations suffered from non-conformance to specifications, which probably led Microsoft to develop alternative technology on IE and simultaneously claim that providing an access to GPU with a web page is a high risk by itself.
Upvotes: 1
Related Questions
- Why does canvas.toDataURL() throw a security exception?
- Cross origin security error
- HTML5 Canvas getImageData and Same Origin Policy
- Any way to circumvent cross domain image issue in canvas?
- Canvas element not rendering to PNG (security error) when images are on the same domain
- Canvas, iframe and Access-Control-Allow-Origin
- HTML5 Canvas access-control-allow-origin error
- Is canvas security model ignoring access-control-allow-origin headers?
- How to solve cross domain security error. in html 5 when using Canvas.getImageData
- SECURITY_ERR: DOM Exception 18 ONLY IN Safari