2

When you put an image from an other domain in a canvas, the canvas is tainted and some functions like getDataURL or getImageData are disable.

When you try to use such function a SECURITY_ERROR error happen.

Why is this protection in place? What sort of attack used this method?

Thanks!

edited :

I should ask : How can an image coming from an other domain be used in a attack? I can't figure out why browser limit used of canvas after beeing tainted.

Pierre
  • 1,274
  • 1
  • 9
  • 14
  • 1
    Does not explain why, yet if you need a workaround: http://www.maxnov.com/getimagedata/ – m90 Sep 28 '12 at 08:59
  • Possible duplicate: http://stackoverflow.com/questions/2390232/why-does-canvas-todataurl-throw-a-security-exception – m90 Sep 28 '12 at 09:00

1 Answers1

0

That is a cross domain blockade, it is simmilar to fact that you cant access elements from an page inside of iframe and such...

EDIT:

From the w3 documentation:

Note that the URL given in the 'src' or 'data' attributes must be on the same domain as the web page and follows the same domain rule (i.e. same protocol, port, etc.); cross-domain object insertion is not supported for security reasons.

But I bumped into this, maybe you could work out something:
http://dev.w3.org/SVG/tools/svgweb/docs/UserManual.html#cross_domain


By the way cross domain in java script could work on newer browsers, but you need to own both domains, and configure the connection so that is considered trusted, see here:

http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-origin-resource-sharing/

Develoger
  • 3,950
  • 2
  • 24
  • 38
  • Thanks for you answer, I understand that this is due to cross-origin policy. I'm wondering why such a policy is in place? – Pierre Sep 28 '12 at 09:05
  • I have edited the answer... I do not know why there is a blockade but it is there for many years now. There is now even an iframe display content blockade :( try displaying google in an iframe and you will get nothing. Because of https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header – Develoger Sep 28 '12 at 09:12
  • I found part of the answer here : http://code.google.com/p/browsersec/wiki/Part2#Standard_browser_security_features It seems it's to limit interaction between websites??? – Pierre Sep 28 '12 at 09:23
  • Yeah I don't know why this have to be on the client side, isn't it enough to have server based restrictions like in apache htaccess etc. I think that it is being considered as easy thing to abuse some others resources if cross domain blockade doesn't exist on a client level. – Develoger Sep 28 '12 at 09:29