1

I have been struggling with a browser security related question that came up recently: I want to release a mobile website that makes use of HTML5's capture=camera attribute.

However it's likely that a few of these medicines would have a patient name on them - making them protected under HIPAA. Of course, we would send the image data to our server via https and properly encrypt them server-side.

However, we also want to make sure that the image is securely deleted off of the mobile device that took the picture as well. Thankfully - at the very least - the images uploaded in this way aren't added to the device's "camera roll" album.

The complete code - as it is now - is relatively simple:

HTML:

     <input type="file" capture="camera" onchange="resizeAndUpload(this.files)">

JAVASCRIPT:

function resizeAndUpload(files)
{
    var img = new Image

    img.onload = function()
    {
        URL.revokeObjectURL(img.src)

        //Use HTML5's Canvas to Resize Picture
        var canvas = document.createElement('canvas')

        canvas.width  = 600
        canvas.height = 800

        var context = canvas.getContext('2d')

        context.drawImage(img, canvas.width, canvas.height)

        ajaxUpload.post('https://oursite', canvas.toDataURL('image/jpeg'))
    }

    img.src = URL.createObjectURL(files[0])
}

As you can see right now, I am using revokeObjectUrl, but I am wondering if the original file (e.g., files[0]) or the off-screen Canvas still exist somewhere in memory, for how long, and how would I securely get rid of them once the ajax upload is complete.

I realize these answers require a fairly deep understanding of (mobile?) browsers. And I suspect the answer will be browser dependent - since the security specs seem to be quiet on these issues:

http://www.w3.org/TR/html-media-capture/#security

http://www.w3.org/TR/2012/WD-FileAPI-20121025/#security-discussion

Ideally there would be a cross-browser way of getting rid of any remnants of these images on the device (file-system-api's remove?). However I plan to loan these devices to the people taking the pictures, so I could enforce a specific OS and/or Browser if that is what is needed.

Thanks Adam

Adam
  • 31
  • 3
  • I'm not sure **how** secure it is, but you could delete the `input` element as soon as you're done with it, and replace it with an empty clone. Hopefully that way, any reference to the `files` collection would be GC'ed – Ian Mar 12 '14 at 19:28
  • I think you will need to read the source of one or more opensource browsers to see what really happens under te hood. There is no way to be sure how it's implemented by reading the spec of the API. – Bart Mar 12 '14 at 20:59
  • @Ian & Bart, Thank you both for the good suggestions. I will let you both know what I end up doing! – Adam Mar 17 '14 at 16:25

0 Answers0