undefined | Better HN

0 pointscreatonez8y ago0 comments

Just one example. The canvas API can grab the image data on the canvas. If you could rasterize arbitrary DOM nodes then you could very easily fingerprint users by, say, checking which fonts are installed. You could also load external resources such as images and iframes bypassing same-origin policy, so if your bank's website was configured incorrectly, a malicious site could steal information by taking screenshots of a canvas.

0 comments

Jasper_8y ago

You can already draw non-same-origin images to the canvas using drawImage. This marks a special "origin-clean" flag which is checked when someone tries to call toDataURI or getImageData on the canvas [0] I would be OK if drawing any DOM node to the canvas cleared the origin-clean flag.

[0] https://html.spec.whatwg.org/multipage/canvas.html

j / k navigate · click thread line to collapse

0 pointscreatonez8y ago0 comments

0 comments

Jasper_8y ago

[0] https://html.spec.whatwg.org/multipage/canvas.html

j / k navigate · click thread line to collapse