Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
On Tue, 20 Apr 2010, Charles Pritchard wrote: There does not seem to be a standard method of requesting elevated permissions where local file access or cross-domain file access is required. Requesting permissions from whom? The user is not in any place to make educated decisions about such things, the user agent can't know what's secure ahead of time, and the author can't be trusted. That doesn't leave many people. :-) Currently, one must create a duplicate origin-clean Canvas element to copy image data from a dirty element after privilege escalation. What is privilege escalation? Proposed method: CanvasRenderingContext2D resetOriginClean throws SECURITY_ERR exception When resetOriginClean is executed, an implementation shall request elevated privileges, and if granted, set the origin-clean flag of the canvas element to true. What's the use case? On Fri, 23 Apr 2010, Charles Pritchard wrote: Has there been progress on enabling Canvas origin-clean with Cross-Origin Resource Sharing? The plan is to start using CORS once it's well-established in XHR2. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
On 7/29/2010 3:37 PM, Ian Hickson wrote: On Tue, 20 Apr 2010, Charles Pritchard wrote: There does not seem to be a standard method of requesting elevated permissions where local file access or cross-domain file access is required. Requesting permissions from whom? The user is not in any place to make educated decisions about such things, the user agent can't know what's secure ahead of time, and the author can't be trusted. That doesn't leave many people. :-) At the time, I was looking for a usable method of providing the user the option to paste the URL of an image resource, and load it for manipulation with Canvas. This lead to further discussion, bringing up the fact that CORS has not really been implemented for use with Canvas, via drawImage. I then realized that my best route of implementation is an XMLHttpRequest, followed by base64 encoding, then loading that data through the img tag. Unfortunately, base64 encoding of binary is really terrible in Firefox; btoa/atob functions seem to be written without much enthusiasm for large strings. We'd want to use XMLHttpRequest anyway, so that we can store the original image data in offline storage. Otherwise, by grabbing the image data from a canvas tag, we end up with a large png file, when we could be saving the original jpg image. Again, this circles around issues with Blob handling, more than it does with security, as XMLHttpRequest does support CORS, and is still our only widely implemented method of dealing with streams. Currently, one must create a duplicate origin-clean Canvas element to copy image data from a dirty element after privilege escalation. What is privilege escalation? In this case, a user giving the script permission to clear the origin-clean flag. Proposed method: CanvasRenderingContext2D resetOriginClean throws SECURITY_ERR exception When resetOriginClean is executed, an implementation shall request elevated privileges, and if granted, set the origin-clean flag of the canvas element to true. What's the use case? There are some warnings in browsers for other security items: This HTTPS Certificate is not valid, Continue / Cancel It does set a precedent for prompts like: This domain kitties4life.com is trying to access an image from flickr.com, Continue / Cancel. But, as I've said, using CORS is a far better alternative; and using XMLHttpRequest isn't completely absurd, provided there were a clean route for managing the data. On Fri, 23 Apr 2010, Charles Pritchard wrote: Has there been progress on enabling Canvas origin-clean with Cross-Origin Resource Sharing? The plan is to start using CORS once it's well-established in XHR2.
Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
On Thu, Jul 29, 2010 at 3:44 PM, Charles Pritchard ch...@jumis.com wrote: There are some warnings in browsers for other security items: This HTTPS Certificate is not valid, Continue / Cancel That's recognized pretty universally as a horrible prompt that is actively bad for the user. It does set a precedent for prompts like: This domain kitties4life.com is trying to access an image from flickr.com, Continue / Cancel. Similarly, users wouldn't have a clue what this means. But, as I've said, using CORS is a far better alternative; and using XMLHttpRequest isn't completely absurd, provided there were a clean route for managing the data. Indeed. ~TJ
Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
On Thu, Apr 22, 2010 at 5:05 PM, Charles Pritchard ch...@jumis.com wrote: On 4/20/10 7:18 AM, Charles Pritchard wrote: / Proposed method: // CanvasRenderingContext2D // resetOriginClean // throws SECURITY_ERR exception // // When resetOriginClean is executed, an implementation shall request elevated // privileges, and if granted, set the origin-clean flag of the canvas // element to true. / Mozilla almost certainly not be willing to implement such a method. -Boris Well... as that idea has been torpedoed, what/where is current work being done to unify privilege escalation? ... Boris, you haven't provided me with any reasoning/room to address the issue. In general use resetOriginClean would just throw a security error. It'd only prompt the user for permissions in the same cases that enablePrivilege does. For what it's worth, we consider enablePrivilege to be a horrible solution for basically any involved party (browser developer, user, and website author), and we're in the process of removing it. So saying that anything is like enablePrivilege is not a good argument :) / Jonas
Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
On Thu, Apr 22, 2010 at 5:05 PM, Charles Pritchard ch...@jumis.com wrote: On 4/20/10 7:18 AM, Charles Pritchard wrote: // When resetOriginClean is executed, an implementation shall request elevated // privileges, and if granted, set the origin-clean flag of the canvas // element to true. / Mozilla almost certainly not be willing to implement such a method. -Boris Well... as that idea has been torpedoed, what/where is current work being done to unify privilege escalation? The seems to be covered in the Widget Access Request Policy. http://www.w3.org/TR/widgets-access/ For what it's worth, we consider enablePrivilege to be a horrible solution for basically any involved party (browser developer, user, and website author), and we're in the process of removing it. So saying that anything is like enablePrivilege is not a good argument :) / Jonas Thanks for clarifying Has there been progress on enabling Canvas origin-clean with Cross-Origin Resource Sharing? Currently, a CROS-enabled XMLHttpRequest result must be serialized in base64 then load it into an img tag. Cross-Origin Resource Sharing: http://www.w3.org/TR/cors/ -Charles
Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
On Thu, Apr 22, 2010 at 5:05 PM, Charles Pritchardch...@jumis.com wrote: Boris, you haven't provided me with any reasoning/room to address the issue. Sorry. The point is that providing for dynamic privilege escalation (in the sense that the permissions of a chunk of code change on the fly) is not something we plan to support going forward. In particular it imposes significant performance costs on our JavaScript implemenation which we would obviously like to eliminate. I see no problems with exposing a resetOriginClean method to trusted code; my problem is with a setup where code transitions from trusted to untrusted, and with random gradations in trust levels that enforce security checks all over the place. That's what we would not want to implement. It'd only prompt the user for permissions in the same cases that enablePrivilege does. Which is about to become never in Gecko as soon as we can make it happen I'm just trying to standardize the really awkward experience a trusted application has to go through to grab permitted image data. If an application is trusted (in the system principal sense in Mozilla, not in the broken enablePrivilege sense), how did it end up with a dirty canvas to start with? I do think the CORS suggestion elsewhere in this thread is a good one, by the way. -Boris
Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
On Fri, Apr 23, 2010 at 9:43 AM, Charles Pritchard ch...@jumis.com wrote: For what it's worth, we consider enablePrivilege to be a horrible solution for basically any involved party (browser developer, user, and website author), and we're in the process of removing it. So saying that anything is like enablePrivilege is not a good argument :) / Jonas Thanks for clarifying Has there been progress on enabling Canvas origin-clean with Cross-Origin Resource Sharing? No. Currently, a CROS-enabled XMLHttpRequest result must be serialized in base64 then load it into an img tag. Cross-Origin Resource Sharing: http://www.w3.org/TR/cors/ One solution is to simply use CORS together with XMLHttpRequest as you point out. Though it's definitely not smooth. Alternatively, it would be possible to use CORS together with img, such that if the response to an img request contains the appropriate CORS headers then tainting would not occur when imported into a canvas. This would require changes to both HTML and to CORS, but not too bad. And the result is significantly better as it doesn't require the user to get involved and decide what's safe and what's not. I suggest you approach things from this direction instead. / Jonas
Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
On Sat, 24 Apr 2010 04:04:57 +0900, Jonas Sicking jo...@sicking.cc wrote: This would require changes to both HTML and to CORS, but not too bad. And the result is significantly better as it doesn't require the user to get involved and decide what's safe and what's not. What changes to CORS would be required? It is designed to make this just work so if anything is wrong I'd like to know. Specifically the resource sharing check is what HTML would use here. -- Anne van Kesteren http://annevankesteren.nl/
Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
I beleive that CORS (sometimes?) uses an additional HTTP OPTIONS request-- though I don't see that being necessary (the GET response could return valid headers). Has Opera implemented cross domain origin-clean images? -Charles On Apr 23, 2010, at 5:56 PM, Anne van Kesteren ann...@opera.com wrote: On Sat, 24 Apr 2010 04:04:57 +0900, Jonas Sicking jo...@sicking.cc wrote: This would require changes to both HTML and to CORS, but not too bad. And the result is significantly better as it doesn't require the user to get involved and decide what's safe and what's not. What changes to CORS would be required? It is designed to make this just work so if anything is wrong I'd like to know. Specifically the resource sharing check is what HTML would use here. -- Anne van Kesteren http://annevankesteren.nl/
Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
On Sat, 24 Apr 2010 10:00:52 +0900, Charles Pritchard ch...@jumis.com wrote: I beleive that CORS (sometimes?) uses an additional HTTP OPTIONS request-- though I don't see that being necessary (the GET response could return valid headers). CORS does not do that for simple cross-origin requests (i.e. the requests img makes). Has Opera implemented cross domain origin-clean images? Not yet. -- Anne van Kesteren http://annevankesteren.nl/
Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
On Apr 22, 2010, at 5:05 PM, Charles Pritchard wrote: Mozilla almost certainly not be willing to implement such a method. -Boris Well... as that idea has been torpedoed, what/where is current work being done to unify privilege escalation? Calling it privilege escalation makes it sound like a security hole, not a feature. Not a good way to persuade browser implementors to add such a thing. Regards, Maciej
Re: [whatwg] Canvas 2D Context Proposal: resetOriginClean
On 4/20/10 7:18 AM, Charles Pritchard wrote: Proposed method: CanvasRenderingContext2D resetOriginClean throws SECURITY_ERR exception When resetOriginClean is executed, an implementation shall request elevated privileges, and if granted, set the origin-clean flag of the canvas element to true. Mozilla almost certainly not be willing to implement such a method. -Boris
