-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is the security check in fillText/strokeText useful? #1540
Comments
Here's the way I see it: if you managed to load the font such that you can use it, that means that you can load the font file using XHR (because font loads are already subject to CORS). At that point, you can just extract glyph information from it yourself so there is no meaningful security thing going on here. Am I missing something? |
If https://developer.microsoft.com/en-us/microsoft-edge/platform/status/crossdomainfontloading means what I think it means, I guess fonts are not subject to CORS in Safari and Mobile IE? It looks like Chrome made them subject to CORS in Chrome 37. Hmm. |
I'm not sure what the status of this stuff is in IE. Safari has long resisted implementing the CORS stuff there. I agree that UAs that don't follow the CSS spec for |
Drive-by comment: The only outstanding security/privacy issue I can think of with canvas text rendering is that it can be used for fingerprinting. But that has more to do with local fonts than with cross-origin fonts (you can sniff which fonts are installed on the client OS). I don't think we are about to start tainting canvases that use local fonts... |
FYI I think when this was added to the spec, only Gecko used CORS for fonts and other browsers didn't. Presto may have implemented the tainting, not sure. :-) |
As discussed in whatwg#1540, this check does not give any additional protections over those already provided by CORS, which these days fonts are subject to. Fixes whatwg#1540. Helps with whatwg#1431.
https://html.spec.whatwg.org/multipage/scripting.html#dom-context-2d-stroketext
I came across this as part of #1431. It looks like this is not implemented in any open-source browser, from what I can tell by code inspection. @bzbarsky in an offline email said
The spec source code has the comment
Should we remove this check from the spec?
The text was updated successfully, but these errors were encountered: