[webkit-changes] [WebKit/WebKit] 2c5193: Canvas' security should not take into account Sing...
Jean-Yves Avenard
noreply at github.com
Wed Nov 30 17:23:58 PST 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 2c5193d0471c2417232a02a7aff688e4744f5839
https://github.com/WebKit/WebKit/commit/2c5193d0471c2417232a02a7aff688e4744f5839
Author: Jean-Yves Avenard <jya at apple.com>
Date: 2022-11-30 (Wed, 30 Nov 2022)
Changed paths:
M Source/WebCore/html/canvas/CanvasRenderingContext.cpp
M Source/WebCore/loader/cache/CachedResource.cpp
M Source/WebCore/loader/cache/CachedResource.h
Log Message:
-----------
Canvas' security should not take into account Single Origin (for videos and images)
https://bugs.webkit.org/show_bug.cgi?id=242889
rdar://97245327
Reviewed by Youenn Fablet.
Per canvas' spec:
https://html.spec.whatwg.org/multipage/canvas.html#the-image-argument-is-not-origin-clean
an object image is not origin-clean if:
HTMLOrSVGImageElement
image's current request's image data is CORS-cross-origin.
HTMLVideoElement
image's media data is CORS-cross-origin.
HTMLCanvasElement
ImageBitmap
image's bitmap's origin-clean flag is false.
And as per the security's policy:
https://html.spec.whatwg.org/multipage/canvas.html#security-with-canvas-elements
"To mitigate this, bitmaps used with canvas elements and ImageBitmap objects are defined to have a flag indicating whether they are origin-clean. All bitmaps start with their origin-clean set to true. The flag is set to false when cross-origin images are used."
The implementation prevented drawing into a canvas a video that was served across multiple mirrors as is commonly found in the media world.
* Source/WebCore/html/canvas/CanvasRenderingContext.cpp:
(WebCore::CanvasRenderingContext::wouldTaintOrigin):
* Source/WebCore/loader/cache/CachedResource.cpp:
(WebCore::CachedResource::isCORSCrossOrigin const):
* Source/WebCore/loader/cache/CachedResource.h:
Canonical link: https://commits.webkit.org/257207@main
More information about the webkit-changes
mailing list