In the specs it says:
Whenever the toDataURL() method of a
canvas element whose origin-clean flag
is set to false is called, the method
must raise a SECURITY_ERR exception.
If the image is coming from another server I don’t think you can use toDataURL()