Images can be read cross-domain with canvas – Opera Security Advisories

Severity: Less Severe


Problem Description

HTML CANVAS elements can use images as patterns, and that image data is made available to scripts. When the images are retrieved from other Web sites, the image data should no longer be available to scripts. A flaw exists in the way that Opera checks for the source of these images. Suitable manipulation can cause Opera to reveal the image data to scripts.

Opera’s Response

Opera Software has released Opera 9.5, where this issue has been fixed.


Thanks to Philip Taylor for reporting this issue to Opera Software.