HTML Tainted Canvas Limitation
1. The Website Requires A Canvas With Images from a Different Origin Which Does Not Allow Cross Origin Resource Sharing (CORS)
A canvas is considered 'tainted' by a browser if it has loaded images from a different origin that does not set the Access-Control-Allow-Origin header correctly. For security reasons, browsers block access to such tainted canvases and thus unblu cannot correctly process the contents of such a canvas.
1.1. What do users see?
The consultant sees a blank area where the contents of a tainted canvas would be.
1.2. Is it severe?
Severity depends on how important the content of the canvas is for using the website or offering support. If it is an ad or something similar, then the co-browsing experience is not significantly affected. If the canvas contains important features of the website, those features will not be available for co-browsing.
1.3. Is there a workaround?
Yes, in fact there are several:
- Use your regular website server to also serve the corresponding images used in canvases.
- Use a proxy on your website server to proxy image requests to the 3rd party server.
1.4. How do I detect this on a website?
1.5. Further Information
Further information about tainted canvases is available at https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image