CanvasRenderingContext2D.isPointInStrokeandCanvasRenderingContext2D.isPointInPath` return either:
and
False
That means that if repeated calls with the same parameters return True, the correct value is 'True'. That means that the correct value can be quite precisely guessed by repeated calls. Additionally, the repeated calls reveal inconsistencies. The behaviour can possibly break innocent code that expect constant results.
True
An option to consider is to farble the results according to x and y coordinates, the current color (possibly farbled) and the session hash of the domain. That will make the calls pure functions as expected.
A possible downside is the risk of leaking the session hash as the attacker can control, x, y, and the color.
JShelter Version: 0.11.1
Log in to comment on this ticket.