Possible Duplicate:
Why does my navigator tainted a canvas when an image from an other domain is used?
This is a reformulation of one of my precedent questions : one of my precedent questions
For security reason a browser will limit usage of some function on a canvas after using an image from an other domain.
What are this security reason? How can an image display in a canvas present a risk?
I wrote a post on this called Understanding the HTML5 Canvas Image Security Rules
The short version is that if a canvas is allowed to draw local files to itself then it could potentially draw a file that is on your local drive (private to you) or a private site only visible to you (internal.myWebsite.com), get its imageData, and upload that file to a server, effectively stealing the image. We can't have that, so the "local files and cross-domain files break origin-clean" rule is in place.
If you own a website and want to be able to use the images in a cross origin fashion you will need to enable CORS.
This is a crazy example, but hopefully you get the idea:
Imagine you have an online shopping website, in the users profile page, you show a nice image (canvas created) of a credit card with the four last numbers of the card on it, when users click on it they can change their credit card details(number,date,etc). That's fine.
Now imagine that by any means, for example an XSS vulnerability, or an sql injection, or whatever, a cracker could change the link where you load your canvas image to point to a canvas image in the attacker's server.
The canvas image the cracker is sending resambles the same of the original website but with different four last numbers at the end, and a link that says "If this is not your credit card, click here to change it".
When the user clicks that link goes to a phising webpage of the cracker, that resambles the original "change card data details" page, but when user enter his credit card details they will be saved on the attacker server and then redirected back to the original website.
