I understand the concern about a tainted canvas - the idea that the bits of an image from another site can be sent back to a malicious server. But can you explain the details of how exactly this works?
Suppose the user visits nastysite.com
and nastysite.com
makes an image request to mydatingsite.com
or mybankingsite.com
to get an image that contains information that is private to the user, and then renders this image onto a canvas, gets the bits of the canvas, and sends those bits back to the nastysite.com
server.
What exactly would that image request URL look like? Say it's your picture from a dating site profile you are logged into with a session cookie (mydatingsite.com
), or a check image from a banking site you are logged into with a session cookie (mybankingsite.com
). How does nastysite.com
know what specific URL to use? And does it work if the connection you have to the dating or banking site is through HTTPS is part of a particular session?
I guess this is really a question more about session cookies. Does nastysite.com
have free access to your session cookies for mydatingsite.com
and mybankingsite.com
? Can it use them in an image request that the mydatingsite.com
and mybankingsite.com
servers can't tell isn't a normal session request from their own page?