[Webkit-unassigned] [Bug 248462] New: Canvas check for painting videos is incorrect.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 29 01:05:52 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=248462
Bug ID: 248462
Summary: Canvas check for painting videos is incorrect.
Product: WebKit
Version: Other
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Media
Assignee: webkit-unassigned at lists.webkit.org
Reporter: jean-yves.avenard at apple.com
Similar to bug 242889, that cause the same end result but for a slightly different reason.
Canvas' security should not take into account Single Origin (for videos and images)
Per canvas' spec:
https://html.spec.whatwg.org/multipage/canvas.html#the-image-argument-is-not-origin-clean
an object image is not origin-clean if:
HTMLOrSVGImageElement
image's current request's image data is CORS-cross-origin.
HTMLVideoElement
image's media data is CORS-cross-origin.
HTMLCanvasElement
ImageBitmap
image's bitmap's origin-clean flag is false.
The definition for CORS-cross-origin is:
https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-cross-origin
"A response whose type is "opaque" or "opaqueredirect" is CORS-cross-origin."
However, the `bool CanvasRenderingContext::wouldTaintOrigin(const HTMLVideoElement* video)` method to perform this check does:
```
if (!video->didPassCORSAccessCheck() && video->wouldTaintOrigin(*m_canvas.securityOrigin()))
return true;
```
When a video is decoded via AVFoundation; the method wouldTaintOrigin does the following in WebCoreNSURLSession:
```
- (BOOL)wouldTaintOrigin:(const WebCore::SecurityOrigin &)origin
{
for (auto& responseOrigin : _origins) {
if (!origin.isSameOriginDomain(*responseOrigin))
return true;
}
return false;
}
```
so it only checks that the origin is the same across all responses.
This isn't per spec, the origin should be ignored and instead we should rely on the CORS cross-origin data.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221129/beb6a732/attachment.htm>
More information about the webkit-unassigned
mailing list