[Webkit-unassigned] [Bug 242889] New: Canvas' security should not take into account Single Origin (for videos and images)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 19 01:14:29 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=242889

            Bug ID: 242889
           Summary: Canvas' security should not take into account Single
                    Origin (for videos and images)
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Canvas
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jean-yves.avenard at apple.com
                CC: dino at apple.com

Per canvas' spec:
https://html.spec.whatwg.org/multipage/canvas.html#the-image-argument-is-not-origin-clean

an object image is not origin-clean if:
HTMLOrSVGImageElement
    image's current request's image data is CORS-cross-origin.
HTMLVideoElement
    image's media data is CORS-cross-origin.
HTMLCanvasElement
ImageBitmap
    image's bitmap's origin-clean flag is false.

And as per the security's policy:
https://html.spec.whatwg.org/multipage/canvas.html#security-with-canvas-elements

"To mitigate this, bitmaps used with canvas elements and ImageBitmap objects are defined to have a flag indicating whether they are origin-clean. All bitmaps start with their origin-clean set to true. The flag is set to false when cross-origin images are used."

And various methods will reject their promise according to this origin-clean flag.
Such as getImageData: https://html.spec.whatwg.org/multipage/canvas.html#dom-context-2d-getimagedata
2. If the CanvasRenderingContext2D's origin-clean flag is set to false, then throw a "SecurityError" DOMException.

`CanvasRenderingContext::wouldTaintOrigin` is the method used to determine if a particular object can be used with a canvas.
Image:
https://searchfox.org/wubkat/rev/3c7828ddd50109debe235dded88a94e66d33e879/Source/WebCore/html/canvas/CanvasRenderingContext.cpp#132-133
```
   if (!image->hasSingleSecurityOrigin())
        return true;
```

Videos:
https://searchfox.org/wubkat/rev/3c7828ddd50109debe235dded88a94e66d33e879/Source/WebCore/html/canvas/CanvasRenderingContext.cpp#154-155
```
    if (!video->hasSingleSecurityOrigin())
        return true;
```

This requirement that an object used with a canvas has a single origin isn't found in the canvas spec ; only that the data is CORS-cross-origin

The current implementation prevents drawing into a canvas a video that was served across multiple mirrors as is commonly found in the media world.

The check that hasSingleSecurityOrigin must be true should be removed.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220719/9ff8bf94/attachment.htm>

More information about the webkit-unassigned mailing list