Why can't I force download of tainted canvas and why is it a security issue?

Question

Why can\'t I force download of tainted canvas and why is it a security issue?

Take this example situation: On example.com (example of my domain) I can download a JSO

Answer 1

Cross-origin images cause security violations -- Here's why...

I don't know if CORS restrictions also had protection of copyright images in mind but those other-domain images might be copyrighted so allowing you to use them as a "base" for your newly saved image is a direct security violation -- it could be stealing. The browser can't read copyright notices, so it must taint the canvas for all cross-domain images.

The direct theft issue aside, malicious code could look over your shoulder and copy your bank account image onto a canvas and export that canvas image to themselves. That's an indirect security violation.

So you must comply with security requirements -- Here's how...

• The simplest way: host those images on the same domain as your webpage.

• You could ask example.com to configure their server to allow anonymous access to their content.

• You could host your images on a public host that already offers some anonymous access to their hosted image. Dropbox.com, Cloudinary.com and Imgur.com are among many image hosts that allow specific folders to be anonymously accessed.

• If your users have modern browsers, you can use FileReader to let users select which image they want to download from example.com. By making the user explicitly choose a specific image the security restrictions are satisfied and you can then successfully export your image.

• There are a few other solutions which involve piping the image from example.com through your web domain. These solutions have server-security & server-resource issues and should be avoided.