why is this toDataURL line a security error?

Question

If an image from another site, is loaded to a page, and then written to canvas as a partial ingredient in a composite, using:

context.drawImage(image, 0, 0,          


        

Answer 1

As per the spec, information leakage can occur if scripts from one origin can access information (e.g. read pixels) from images on another origin. The worry is that a malicious app could deduce information that it otherwise wouldn't have access to by loading in an image from another domain/origin (easily done with images) and reading the pixel content. XHR has protections built in place to prevent XD leakage. Images do not.