[Webkit-unassigned] [Bug 248437] New: Canvas' security should not take into account Single Origin for SVG images
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 28 15:57:09 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=248437
Bug ID: 248437
Summary: Canvas' security should not take into account Single
Origin for SVG images
Product: WebKit
Version: Other
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Canvas
Assignee: webkit-unassigned at lists.webkit.org
Reporter: jean-yves.avenard at apple.com
CC: dino at apple.com
Blocks: 119639
This is similar to bug 242889, but requires a more extensive solution.
Per canvas' spec:
https://html.spec.whatwg.org/multipage/canvas.html#the-image-argument-is-not-origin-clean
an object image is not origin-clean if:
HTMLOrSVGImageElement
image's current request's image data is CORS-cross-origin.
And as per the security's policy:
https://html.spec.whatwg.org/multipage/canvas.html#security-with-canvas-elements
"To mitigate this, bitmaps used with canvas elements and ImageBitmap objects are defined to have a flag indicating whether they are origin-clean. All bitmaps start with their origin-clean set to true. The flag is set to false when cross-origin images are used."
And various methods will reject their promise according to this origin-clean flag.
Such as getImageData: https://html.spec.whatwg.org/multipage/canvas.html#dom-context-2d-getimagedata
2. If the CanvasRenderingContext2D's origin-clean flag is set to false, then throw a "SecurityError" DOMException.
`CanvasRenderingContext::wouldTaintOrigin` is the method used to determine if a particular object can be used with a canvas.
Image:
https://searchfox.org/wubkat/rev/3c7828ddd50109debe235dded88a94e66d33e879/Source/WebCore/html/canvas/CanvasRenderingContext.cpp#132-133
```
if (!image->hasSingleSecurityOrigin())
return true;
```
The requirement that the SVG be of a single security origin is incorrect. It was introduced in https://trac.webkit.org/changeset/195614/webkit which made foreignObject regardless of their cross-origin data to taint the image.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221128/d1904b51/attachment-0001.htm>
More information about the webkit-unassigned
mailing list