[Webkit-unassigned] [Bug 248462] New: Canvas check for painting videos is incorrect.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 29 01:05:52 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=248462

            Bug ID: 248462
           Summary: Canvas check for painting videos is incorrect.
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Media
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jean-yves.avenard at apple.com

Similar to bug 242889, that cause the same end result but for a slightly different reason.


Canvas' security should not take into account Single Origin (for videos and images)

Per canvas' spec:
https://html.spec.whatwg.org/multipage/canvas.html#the-image-argument-is-not-origin-clean

an object image is not origin-clean if:
HTMLOrSVGImageElement
    image's current request's image data is CORS-cross-origin.
HTMLVideoElement
    image's media data is CORS-cross-origin.
HTMLCanvasElement
ImageBitmap
    image's bitmap's origin-clean flag is false.

The definition for CORS-cross-origin is:
https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-cross-origin
"A response whose type is "opaque" or "opaqueredirect" is CORS-cross-origin."

However, the `bool CanvasRenderingContext::wouldTaintOrigin(const HTMLVideoElement* video)` method to perform this check does:
```
    if (!video->didPassCORSAccessCheck() && video->wouldTaintOrigin(*m_canvas.securityOrigin()))
        return true;
```

When a video is decoded via AVFoundation; the method wouldTaintOrigin does the following in WebCoreNSURLSession:
```
- (BOOL)wouldTaintOrigin:(const WebCore::SecurityOrigin &)origin
{
    for (auto& responseOrigin : _origins) {
        if (!origin.isSameOriginDomain(*responseOrigin))
            return true;
    }
    return false;
}
```

so it only checks that the origin is the same across all responses.

This isn't per spec, the origin should be ignored and instead we should rely on the CORS cross-origin data.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221129/beb6a732/attachment.htm>

More information about the webkit-unassigned mailing list