Why can't I force download of tainted canvas and why is it a security issue?

Question

Why can\'t I force download of tainted canvas and why is it a security issue?

Take this example situation: On example.com (example of my domain) I can download a JSO

Answer 1

It is solely related to security (and is not related to copyright). We can see from this article that the main intent of cross-origin restriction is:

The principal intent for this mechanism is to make it possible for largely unrestrained scripting and other interactions between pages served as a part of the same site (understood as having a particular DNS host name, or part thereof), whilst almost completely preventing any interference between unrelated sites.

And a few paragraphs down (my emphasis):

In theory, the model seems simple and robust enough to ensure proper separation between unrelated pages, and serve as a method for sandboxing potentially untrusted or risky content within a particular domain [...]

The article doesn't mention canvas in particular but for canvas it has to do with for example grabbing content currently displayed in a tab (different origin) and send it back to a malicious third party which then can see the content (e.g. things like bank statements, some account information and the sort - in theory anyways).

MDN generalizes this type of attacks this way:

This protects users from having private data exposed by using images to pull information from remote web sites without permission.

But for different origin server where this poses no risk they may allow cross-origin use which is why in some cases we can request this adding the attribute/property crossOrigin = "anonymous" to the image tag/element.

We can in either case display and do things like transformations to images in canvas even if it is tainted, but if tainted we cannot pull any data or read pixel information from it using getImageData(), toDataURL() or toBlob().

Avoiding restrictions

To avoid this restriction from other sites you would have to set up a page proxy which would do the image request on your page's behalf, then serve it to your page without any restriction. This of course adds to bandwidth as well as load-time.

The other way is to simply upload the image to your own server or to a server setup to allow cross-origin use. In this case you would not be able to use it as a security attack surface, but you could yourself be targeted for infringement violation depending on Fair-Use, license and such (otherwise unrelated to CORS itself).

The CORS specification can be found here.

Answer 2

Cross-origin images cause security violations -- Here's why...

I don't know if CORS restrictions also had protection of copyright images in mind but those other-domain images might be copyrighted so allowing you to use them as a "base" for your newly saved image is a direct security violation -- it could be stealing. The browser can't read copyright notices, so it must taint the canvas for all cross-domain images.

The direct theft issue aside, malicious code could look over your shoulder and copy your bank account image onto a canvas and export that canvas image to themselves. That's an indirect security violation.

So you must comply with security requirements -- Here's how...

• The simplest way: host those images on the same domain as your webpage.

• You could ask example.com to configure their server to allow anonymous access to their content.

• You could host your images on a public host that already offers some anonymous access to their hosted image. Dropbox.com, Cloudinary.com and Imgur.com are among many image hosts that allow specific folders to be anonymously accessed.

• If your users have modern browsers, you can use FileReader to let users select which image they want to download from example.com. By making the user explicitly choose a specific image the security restrictions are satisfied and you can then successfully export your image.

• There are a few other solutions which involve piping the image from example.com through your web domain. These solutions have server-security & server-resource issues and should be avoided.