Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is the security check in fillText/strokeText useful? #1540

Closed
domenic opened this issue Jul 12, 2016 · 5 comments
Closed

Is the security check in fillText/strokeText useful? #1540

domenic opened this issue Jul 12, 2016 · 5 comments
Labels
security/privacy There are security or privacy implications topic: canvas topic: multiple globals

Comments

@domenic
Copy link
Member

domenic commented Jul 12, 2016

https://html.spec.whatwg.org/multipage/scripting.html#dom-context-2d-stroketext

If the text preparation algorithm used a font that has an origin that is not the same as the origin specified by the entry settings object (even if "using a font" means just checking if that font has a particular glyph in it before falling back to another font), then set the CanvasRenderingContext2D's origin-clean flag to false.

I came across this as part of #1431. It looks like this is not implemented in any open-source browser, from what I can tell by code inspection. @bzbarsky in an offline email said

I'm not sure what this is trying to protect against. Font loads are subject to CORS to start with, so as far as I can tell what this is trying to do is prevent you from exfiltrating, via canvas, the glyphs of a font that already opted into allowing you to use it (via CORS). I'm 99% sure Gecko doesn't try to do anything like this, and I'm not sure it's useful to do it, honestly. Do other UAs do this sort of check?

The spec source code has the comment

   <!-- because fonts could be considered sensitive material, I guess; and because that
   sensitivity could extend to whether or not a particular glyph is in the font in the first place.
   -->

Should we remove this check from the spec?
@domenic domenic added topic: canvas security/privacy There are security or privacy implications topic: multiple globals labels Jul 12, 2016
@domenic domenic mentioned this issue Jul 12, 2016
Open
31 tasks
@bzbarsky
Copy link
Contributor

Here's the way I see it: if you managed to load the font such that you can use it, that means that you can load the font file using XHR (because font loads are already subject to CORS). At that point, you can just extract glyph information from it yourself so there is no meaningful security thing going on here.

Am I missing something?

@domenic
Copy link
Member Author

domenic commented Jul 13, 2016

If https://developer.microsoft.com/en-us/microsoft-edge/platform/status/crossdomainfontloading means what I think it means, I guess fonts are not subject to CORS in Safari and Mobile IE? It looks like Chrome made them subject to CORS in Chrome 37. Hmm.

@bzbarsky
Copy link
Contributor

I'm not sure what the status of this stuff is in IE. Safari has long resisted implementing the CORS stuff there. I agree that UAs that don't follow the CSS spec for @font-face may need an extra mechanism to prevent leaking information via canvas. The ones that do follow the CSS spec don't need that.

@junov
Copy link
Member

junov commented Jul 13, 2016

Drive-by comment: The only outstanding security/privacy issue I can think of with canvas text rendering is that it can be used for fingerprinting. But that has more to do with local fonts than with cross-origin fonts (you can sniff which fonts are installed on the client OS). I don't think we are about to start tainting canvases that use local fonts...

domenic added a commit that referenced this issue Jul 13, 2016
@domenic
Remove unnecessary and unimplemented canvas tainting when painting text
4c4c517 
As discussed in #1540, this check does not give any additional
protections over those already provided by CORS, which these days fonts
are subject to.

Fixes #1540. Helps with #1431.
@domenic domenic mentioned this issue Jul 13, 2016
Merged
domenic added a commit that referenced this issue Jul 14, 2016
@domenic
Remove unnecessary and unimplemented canvas tainting when painting text
6c76b61 
As discussed in #1540, this check does not give any additional
protections over those already provided by CORS, which these days fonts
are subject to.

Fixes #1540. Helps with #1431.
@zcorpan
Copy link
Member

zcorpan commented Jul 14, 2016

FYI I think when this was added to the spec, only Gecko used CORS for fonts and other browsers didn't. Presto may have implemented the tainting, not sure. :-)

alice pushed a commit to alice/html that referenced this issue Jan 8, 2019
@domenic
Remove unnecessary and unimplemented canvas tainting when painting text
d41b31e 
As discussed in whatwg#1540, this check does not give any additional
protections over those already provided by CORS, which these days fonts
are subject to.

Fixes whatwg#1540. Helps with whatwg#1431.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security/privacy There are security or privacy implications topic: canvas topic: multiple globals
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zcorpan @domenic @bzbarsky @junov