Art*_*BIT 11 javascript security html5 canvas
看来即使你设置access-control-allow-origin标头允许从mydomain.org访问域example.org上托管的图像,画布'origin-clean标志也会被设置为false,并试图操纵它图像的像素数据将触发安全异常.
canvas不应该服从access-control-allow-origin标头并允许访问图像的数据而不抛出异常吗?
实际上,如果图像具有值为"anonymous"的"crossOrigin"属性,canvas会尊重"access-control-allow-origin".
在一个固定的例子中工作得很好:http://jsfiddle.net/WLTqG/29/
var ctx = document.getElementById('c').getContext('2d'),
img = new Image();
img.crossOrigin = 'anonymous';
img.src = 'https://lh3.googleusercontent.com/-LAFgeyNL894/AAAAAAAAAAI/AAAAAAAAAAA/-CWBGs9xLXI/s96-c/photo.jpg';
img.onload = function() {
ctx.drawImage(img, 0, 0);
try {
var imgData = ctx.getImageData(0, 0, 100, 100);
$('.button').on('click', function(e) {
e.preventDefault();
applyFilter(ctx, imgData);
});
} catch(err) {
$('.button').hide();
$('body').append("Access denied");
console.log(err);
}
};
function applyFilter(ctx, data) {
for (var x = 0; x < data.width; x++) {
for (var y = 0; y < data.height; y++) {
var index = 4 * (y * data.width + x);
data.data[index] = data.data[index] - 50; //r
data.data[index+1] = data.data[index+1] - 50; //g
data.data[index+2] = data.data[index+2] - 50; //b
data.data[index+3] = data.data[index+2] - 50; //a
}
}
ctx.putImageData(data, 0, 0);
}
(我只将jQuery用于DOM操作和事件处理)