[Webkit-unassigned] [Bug 72654] New: Canvas's toDataURL raises SECURITY_ERR after painting a local image by local file

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 17 14:14:23 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=72654

           Summary: Canvas's toDataURL raises SECURITY_ERR after painting
                    a local image by local file
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Canvas
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rafael.lobo at openbossa.org
                CC: mdelaney at apple.com


Created an attachment (id=115677)
 --> (https://bugs.webkit.org/attachment.cgi?id=115677&action=review)
This is an example of how to reproduce this behavior.

After some experiments with canvas element in a local file, I've realized that once we paint an image (also a local file) on it, we cannot use toDataURL anymore because it would have tainted its origin. I've put this under canvas, but it is more like a security origin "issue", I'm not even sure if this is a real bug.

By default the client's settings doesn't allow file access from file urls, and then we check if both origins (the page and the image) match when we check for "isSameSchemeHostPort". As their file paths are different, this doesn't match. As there's nothing else saying that one security origin (page) can request the other url (image's) on function securityOrigin::taintsCanvas, then we just identify that the canvas's origin should be tainted. This check is done once we ask the image to be drawn inside the canvas element.

Now thinking on it, it looks weird that this check says I cannot request that url, but the page itself load the image if I put it on any img's src, like I did in the example I've attached. Does this make any sense?

Another thing that seems strange to me is that we cannot generate the data url for this canvas element after we've tainted its origin. We can still paint everything on it, including new images, but not to generate that url. I'd like to understand if this is somewhat expected or if this could be indeed a bug.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list