Mozilla Foundation Security Advisory 2010-43

Same-origin bypass using canvas context

Announced
July 20, 2010
Reporter
Vladimir Vukicevic
Impact
High
Products
Firefox, Thunderbird
Fixed in
  • Firefox 3.6.7
  • Thunderbird 3.1.1

Description

Mozilla developer Vladimir Vukicevic reported that a canvas element can be used to read data from another site, violating the same-origin policy. The read restriction placed on a canvas element which has had cross-origin data rendered into it can be bypassed by retaining a reference to the canvas element's context and deleting the associated canvas node from the DOM.

References