A partial archive of discourse.wicg.io as of Saturday February 24, 2024.

Canvas “clear taint” permission


This is a crazy idea I just had, in the same vein of “allowing pages to request permissions for things that are currently globally-disallowed” as API for requesting explicit permission to ignore security policies - allow pages to request, via the notification bar, permission to access an image (displayed by the UA after the user clicks “Show Me” on the notification), clearing the canvas’s taint. (This mechanism of asking for user permission to give a site access to a permission could make many canvas-based operations, like element capture, which have previously been thumbs-downed over security concerns, newly viable.)

Now, of course, the biggest vulnerability here is that the user does not necessarily know what qualifies as sensitive information - a page could display an image that’s 99.9999% fuzzy kitten, and 0.0001% steganographically-hidden margin of an element that reveals the text-wrapping behavior of an account balance that discloses how many digits it contains. However, I believe the solution to that is suspicion-based counter-fingerprinting, which could be locked down to a degree where, unless the user explicitly requests for the browser to authoritatively vet and verify that a page is safe, the request is denied. (This notion of having domains - or even specific scripts! - be verified for safety is an interesting one, and one that I’ll probably start a new thread for in a minute.)


This seems to me to simply be a way to circumvent CORS restrictions, and therefore allow the security issues it seeks to prevent. I don’t see how the UA has any hope of identifying suspicion, since all it sees is arrays of pixels from various domains.