为什么这个toDataURL行出现安全错误？ [英] why is this toDataURL line a security error?

问题描述

如果来自其他网站的图片已加载到网页，然后在复合材料中作为部分内容写入画布，请使用：

If an image from another site, is loaded to a page, and then written to canvas as a partial ingredient in a composite, using:

context.drawImage(image, 0, 0, w, h);

在画布上绘制时，似乎有些不安全。
为什么会

it would seem anything insecure would already have occurred on the draw to the canvas. Why then would

window.location = canvas.toDataURL('image/png');

出现错误消息。 SECURITY_ERR; DOM异常18.与其他地方先保存外部网站图片的额外步骤相比，它似乎不再安全。

present an error message. SECURITY_ERR; DOM Exception 18. It doesn't seem any more insecure than the extra step of saving the external site image elsewhere first.

我的问题是不是如何解决这个问题，这么多，或错误的意思，而是

My question is not how to get around this, so much, or what the error means, but rather,

为什么这不安全？

推荐答案

根据spec ，如果来自一个来源的脚本可以访问信息（例如读取像素），则可能发生信息泄漏，从另一个起源的图像。担心的是，恶意应用程序可以通过加载到来自另一个域/源（容易用图像完成）和读取像素内容的图像中来推断原本无法访问的信息。 XHR具有防止XD泄漏的防护。图片不。

As per the spec, information leakage can occur if scripts from one origin can access information (e.g. read pixels) from images on another origin. The worry is that a malicious app could deduce information that it otherwise wouldn't have access to by loading in an image from another domain/origin (easily done with images) and reading the pixel content. XHR has protections built in place to prevent XD leakage. Images do not.

这篇关于为什么这个toDataURL行出现安全错误？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！