[Webkit-unassigned] [Bug 69044] Canvas drawElement() security issues

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Oct 7 15:07:34 PDT 2011


--- Comment #27 from Adam Barth <abarth at webkit.org>  2011-10-07 15:07:34 PST ---
> > One compelling use case I've heard for this feature is the "eye dropper" tool
> Browsers could just add eye dropper functionality to <input type=color>.

Yeah, I think we should probably do that in any case.  (There's some trickiness around clickjacking, but that seems solvable.)

> > ...highly polished magazine... ...turning a page...
> Can we fix that by providing sufficient primitives to allow the page to define what the rendering should be without the page actually executing the rendering itself? Some advanced version of CSS transitions?

The natural direction to go here is some sort of pixel shader, like in WebGL, but that runs up against the same timing attacks we have with canvas.

> > * a graphics editor that wants to show snapshots for the states in an undo stack
> A vector graphics editor using SVG for local rendering, I assume. For this case, maybe we can have some mechanism for rendering a snapshot in a sandbox that has no network (at all), no history, no plugins, no user profile (so no customised spelling corrections), a globally-defined default "locale", etc. Dunno how you'd handle Web fonts or embedded bitmaps. Maybe pass in some blobs to define a minimal set of resources that can be accessed?

If the drawing is in SVG, using an <img> pointed at the SVG will probably be sufficiently faithful to do these sorts of small snapshots.  The only trick there is if the SVG has external resources, but that's a bug in our implementation of SVG image.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list