129172 2014-02-21 14:51:07 -0800 SVG Data URLs "taint" canvas as cross-origin 2022-06-01 18:53:45 -0700 1 1 1 Unclassified WebKit Canvas 528+ (Nightly build) Unspecified Unspecified RESOLVED CONFIGURATION CHANGED P2 Normal --- 1 brooks webkit-unassigned ahmad.saleem792 ap dtrebbien krit oldest_to_newest 983377 0 224914 brooks 2014-02-21 14:51:07 -0800 Created attachment 224914 Test case for bug Related to Bug 108755 (https://bugs.webkit.org/show_bug.cgi?id=108755) that case seems to have resolved the issue for Data URLs that use base64-encoding, however when using a Data URL in utf8-encoding with SVG data, the same "SecurityError: DOM Exception 18: An attempt was made to break through the security policy of the user agent." is thrown. To reproduce: 1. Open the attached test case. OR 1. Generate an SVG image. 2. Add "data:image/svg+xml;utf8," as a prefix to turn it into a Data URL and set is as the "src" of an image 3. Paint that image onto a Canvas and try to call toDataURL() on it. 983918 1 brooks 2014-02-24 08:35:32 -0800 Correction: Data URIs in UTF8 format (data:image/svg+xml;utf8) and Base64 format (data:image/svg+xml;base64) seem to both taint the canvas; the checks to ensure an SVG source is safe seem to only check an SVG included as a remote file, and don't scan Data URI contents themselves. 997078 2 krit 2014-04-03 01:26:34 -0700 (In reply to comment #1) > Correction: Data URIs in UTF8 format (data:image/svg+xml;utf8) and Base64 format (data:image/svg+xml;base64) seem to both taint the canvas; the checks to ensure an SVG source is safe seem to only check an SVG included as a remote file, and don't scan Data URI contents themselves. We load the SVG as SVG image which should be save enough, since SVG images already make sure that the security model is followed. A question: Can you load an embed an external SVG document in the Canvas? 1051269 3 dtrebbien 2014-11-28 10:01:05 -0800 Seems to be fixed in Safari 8.0 (10600.1.25.1). 1873259 4 ahmad.saleem792 2022-06-01 02:54:40 -0700 I am not able to reproduce the issue in Safari 15.5 on macOS 12.4 and Safari behaves same as Firefox Nightly 103. Although, Chrome Canary 104 behaves differently and does not show any picture like Firefox and Safari. Should this be marked as "RESOLVED CONFIGURATION CHANGED"? 1873475 5 ap 2022-06-01 18:52:04 -0700 Thank you for checking! 1873476 6 ap 2022-06-01 18:53:45 -0700 Not sure what's up with Chrome, but that doesn't seem to be the same issue: Uncaught TypeError: Cannot read properties of null (reading 'appendChild') at Image.completionHandler (attachment.cgi?id=224914:26:17) 224914 2014-02-21 14:51:07 -0800 2014-02-21 14:51:07 -0800 Test case for bug svgtest.html text/html 5438 brooks PCEtLQoKU2VjdXJpdHkgRE9NIEV4Y2VwdGlvbiB3aGVuIGdldHRpbmcgdG9EYXRhVVJMIG9mIGNh bnZhcyB3aXRoIFNWRyBjb250ZW50cwoKRmlsZWQgYnk6IEpvbmF0aGFuIERldXRzY2ggPGpvbmF0 aGFuQHR1bXVsdC5jb20+ClRoaXMgYWZmZWN0cyBUdW11bHQgSHlwZSBodHRwOi8vdHVtdWx0LmNv bS9oeXBlLwoKLS0+Cgo8c2NyaXB0PgoKdmFyIGltZyA9IG5ldyBJbWFnZSgpOwp2YXIgZGF0YVVS TCA9ICIiOwoKdmFyIHN2Z0RhdGEgPSAnPHN2ZyB2ZXJzaW9uPSIxLjEiCSBpZD0ic3ZnMiIgc29k aXBvZGk6dmVyc2lvbj0iMC4zMiIgaW5rc2NhcGU6dmVyc2lvbj0iMC40NCIgc29kaXBvZGk6ZG9j YmFzZT0iL1VzZXJzL2RpY2tseW9uL0Rlc2t0b3Avd2lraSBwaXgiIHNvZGlwb2RpOmRvY25hbWU9 IkZpYm9uYWNjaSBzcGlyYWwgMzQuc3ZnIiB4bWxuczppbmtzY2FwZT0iaHR0cDovL3d3dy5pbmtz Y2FwZS5vcmcvbmFtZXNwYWNlcy9pbmtzY2FwZSIgeG1sbnM6c29kaXBvZGk9Imh0dHA6Ly9zb2Rp cG9kaS5zb3VyY2Vmb3JnZS5uZXQvRFREL3NvZGlwb2RpLTAuZHRkIiB4bWxuczpyZGY9Imh0dHA6 Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiIHhtbG5zOnN2Zz0iaHR0cDov L3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOmNjPSJodHRwOi8vd2ViLnJlc291cmNlLm9yZy9j Yy8iIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIJIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3Jn LzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IiB3aWR0aD0iOTE0LjVweCIgaGVpZ2h0PSI1Nzgu NXB4Igkgdmlld0JveD0iMCAwIDkxNC41IDU3OC41IiBlbmFibGUtYmFja2dyb3VuZD0ibmV3IDAg MCA5MTQuNSA1NzguNSIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+PHNvZGlwb2RpOm5hbWVkdmlldyAg Z3VpZGV0b2xlcmFuY2U9IjEwLjAiIHdpZHRoPSI5OTcuODdweCIgaGVpZ2h0PSI2MjAuOTlweCIg Ym9yZGVyb3BhY2l0eT0iMS4wIiBpbmtzY2FwZTpwYWdlc2hhZG93PSIyIiBvYmplY3R0b2xlcmFu Y2U9IjEwMDAwIiBpZD0iYmFzZSIgaW5rc2NhcGU6d2luZG93LXdpZHRoPSIxMTUyIiBncmlkdG9s ZXJhbmNlPSIxMDAwMCIgaW5rc2NhcGU6d2luZG93LWhlaWdodD0iODA4IiBpbmtzY2FwZTpwYWdl b3BhY2l0eT0iMC4wIiBwYWdlY29sb3I9IiNmZmZmZmYiIGJvcmRlcmNvbG9yPSIjNjY2NjY2IiBp bmtzY2FwZTp6b29tPSIwLjU0MTAxOTUxIiBpbmtzY2FwZTpjeD0iNTYzLjMwMTY0IiBpbmtzY2Fw ZTpjeT0iMzkuMTY5NjY2IiBpbmtzY2FwZTp3aW5kb3cteD0iLTQiIGlua3NjYXBlOndpbmRvdy15 PSIyMiIgaW5rc2NhcGU6Y3VycmVudC1sYXllcj0ic3ZnMiIgc2hvd2dyaWQ9InRydWUiIGlua3Nj YXBlOm9iamVjdC1iYm94PSJ0cnVlIiBncmlkc3BhY2luZ3k9IjRweCIgaW5rc2NhcGU6Z3JpZC1w b2ludHM9InRydWUiIGdyaWRlbXBzcGFjaW5nPSI0IiBncmlkc3BhY2luZ3g9IjRweCI+CTwvc29k aXBvZGk6bmFtZWR2aWV3PjxyZWN0IGlkPSJyZWN0MzgxNiIgeD0iNjM5Ljg4MyIgeT0iNDAyLjUi IGZpbGw9Im5vbmUiIHN0cm9rZT0iI0JCRUFGRiIgc3Ryb2tlLXdpZHRoPSI2IiB3aWR0aD0iMTYi IGhlaWdodD0iMTYiLz48cmVjdCBpZD0icmVjdDM4MTgiIHg9IjYzOS44ODMiIHk9IjQxOC41IiBm aWxsPSJub25lIiBzdHJva2U9IiNCQkVBRkYiIHN0cm9rZS13aWR0aD0iNiIgd2lkdGg9IjE2IiBo ZWlnaHQ9IjE2Ii8+PHJlY3QgaWQ9InJlY3QzODIwIiB4PSI2NTUuODgzIiB5PSI0MDIuNjI0IiBm aWxsPSJub25lIiBzdHJva2U9IiNCQkVBRkYiIHN0cm9rZS13aWR0aD0iNiIgd2lkdGg9IjMyIiBo ZWlnaHQ9IjMxLjg3NiIvPjxyZWN0IGlkPSJyZWN0MzgyMiIgeD0iNjM5Ljg4MyIgeT0iMzU0LjUi IGZpbGw9Im5vbmUiIHN0cm9rZT0iI0JCRUFGRiIgc3Ryb2tlLXdpZHRoPSI2IiB3aWR0aD0iNDgi IGhlaWdodD0iNDgiLz48cmVjdCBpZD0icmVjdDM4MjQiIHg9IjU1OS44ODMiIHk9IjM1NC41IiBm aWxsPSJub25lIiBzdHJva2U9IiNCQkVBRkYiIHN0cm9rZS13aWR0aD0iNiIgd2lkdGg9IjgwIiBo ZWlnaHQ9IjgwIi8+PHJlY3QgaWQ9InJlY3QzODI2IiB4PSI1NTkuODgzIiB5PSI0MzQuMDkxIiBm aWxsPSJub25lIiBzdHJva2U9IiNCQkVBRkYiIHN0cm9rZS13aWR0aD0iNiIgd2lkdGg9IjEyOCIg aGVpZ2h0PSIxMjguNDA5Ii8+PHJlY3QgaWQ9InJlY3QzODI4IiB4PSI2ODcuODUzIiB5PSIzNTQu NjA4IiBmaWxsPSJub25lIiBzdHJva2U9IiNCQkVBRkYiIHN0cm9rZS13aWR0aD0iNiIgd2lkdGg9 IjIwOC4xNDciIGhlaWdodD0iMjA3Ljc4MyIvPjxwYXRoIGlkPSJwYXRoNDcyMyIgc29kaXBvZGk6 Y3g9IjQwMCIgc29kaXBvZGk6Y3k9Ii0yMjkuODEyNDciIHNvZGlwb2RpOnR5cGU9ImFyYyIgc29k aXBvZGk6cng9IjE2IiBzb2RpcG9kaTpyeT0iMTYiIHNvZGlwb2RpOnN0YXJ0PSIxLjU3MDc5NjMi IHNvZGlwb2RpOmVuZD0iMy4xNDE1OTI3IiBzb2RpcG9kaTpvcGVuPSJ0cnVlIiBmaWxsPSJub25l IiBzdHJva2U9IiNCQkVBRkYiIHN0cm9rZS13aWR0aD0iNiIgZD0iCU02NTUuODgzLDQzNC41Yy04 LjgzNywwLTE2LTcuMTYzLTE2LTE2Ii8+PHBhdGggaWQ9InBhdGg0NzI3IiBzb2RpcG9kaTpjeD0i NDAwIiBzb2RpcG9kaTpjeT0iLTI0NS44MTI0NyIgc29kaXBvZGk6dHlwZT0iYXJjIiBzb2RpcG9k aTpyeD0iMzIiIHNvZGlwb2RpOnJ5PSIzMiIgc29kaXBvZGk6c3RhcnQ9IjAiIHNvZGlwb2RpOmVu ZD0iMS41NzA3OTYzIiBzb2RpcG9kaTpvcGVuPSJ0cnVlIiBmaWxsPSJub25lIiBzdHJva2U9IiNC QkVBRkYiIHN0cm9rZS13aWR0aD0iNiIgZD0iCU02ODcuODgzLDQwMi41YzAsMTcuNjczLTE0LjMy NywzMi0zMiwzMiIvPjxwYXRoIGlkPSJwYXRoNDcyOSIgc29kaXBvZGk6Y3g9IjM4NCIgc29kaXBv ZGk6Y3k9Ii0yNDUuODEyNDciIHNvZGlwb2RpOnR5cGU9ImFyYyIgc29kaXBvZGk6cng9IjQ4IiBz b2RpcG9kaTpyeT0iNDgiIHNvZGlwb2RpOnN0YXJ0PSI0LjcxMjM4OSIgc29kaXBvZGk6ZW5kPSI2 LjI4MzE4NTMiIHNvZGlwb2RpOm9wZW49InRydWUiIGZpbGw9Im5vbmUiIHN0cm9rZT0iI0JCRUFG RiIgc3Ryb2tlLXdpZHRoPSI2IiBkPSIJTTYzOS44ODMsMzU0LjVjMjYuNTEsMCw0OCwyMS40OSw0 OCw0OCIvPjxwYXRoIGlkPSJwYXRoNDczMSIgc29kaXBvZGk6Y3g9IjM4NCIgc29kaXBvZGk6Y3k9 Ii0yMTMuODEyNDciIHNvZGlwb2RpOnR5cGU9ImFyYyIgc29kaXBvZGk6cng9IjgwIiBzb2RpcG9k aTpyeT0iODAiIHNvZGlwb2RpOnN0YXJ0PSIzLjE0MTU5MjciIHNvZGlwb2RpOmVuZD0iNC43MTIz ODkiIHNvZGlwb2RpOm9wZW49InRydWUiIGZpbGw9Im5vbmUiIHN0cm9rZT0iI0JCRUFGRiIgc3Ry b2tlLXdpZHRoPSI2IiBkPSIJTTU1OS44ODMsNDM0LjVjMC00NC4xODMsMzUuODE3LTgwLDgwLTgw Ii8+PHBhdGggaWQ9InBhdGg0NzM1IiBzb2RpcG9kaTpjeD0iNDMyIiBzb2RpcG9kaTpjeT0iLTIx My44MTI0NyIgc29kaXBvZGk6dHlwZT0iYXJjIiBzb2RpcG9kaTpyeD0iMTI4IiBzb2RpcG9kaTpy eT0iMTI4IiBzb2RpcG9kaTpzdGFydD0iMS41NzA3OTYzIiBzb2RpcG9kaTplbmQ9IjMuMTQxNTky NyIgc29kaXBvZGk6b3Blbj0idHJ1ZSIgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjQkJFQUZGIiBzdHJv a2Utd2lkdGg9IjYiIGQ9IglNNjg3Ljg4Myw1NjIuNWMtNzAuNjkyLDAtMTI4LTU3LjMwOC0xMjgt MTI4bDAsMCIvPjxwYXRoIGlkPSJwYXRoNDczNyIgc29kaXBvZGk6Y3g9IjQzMiIgc29kaXBvZGk6 Y3k9Ii0yOTMuODEyNDciIHNvZGlwb2RpOnR5cGU9ImFyYyIgc29kaXBvZGk6cng9IjIwOCIgc29k aXBvZGk6cnk9IjIwOCIgc29kaXBvZGk6c3RhcnQ9IjAiIHNvZGlwb2RpOmVuZD0iMS41NzA3OTYz IiBzb2RpcG9kaTpvcGVuPSJ0cnVlIiBmaWxsPSJub25lIiBzdHJva2U9IiNCQkVBRkYiIHN0cm9r ZS13aWR0aD0iNiIgZD0iCU04OTUuODgzLDM1NC41YzAsMTE0Ljg3NS05My4xMjUsMjA4LTIwOCwy MDgiLz48cmVjdCBpZD0icmVjdDI3ODMiIHg9IjU2MCIgeT0iMTguNSIgZmlsbD0ibm9uZSIgc3Ry b2tlPSIjQkJFQUZGIiBzdHJva2Utd2lkdGg9IjYiIHdpZHRoPSIzMzYiIGhlaWdodD0iMzM2Ii8+ PHJlY3QgaWQ9InJlY3QyNzg1IiB4PSIxNiIgeT0iMTguNSIgZmlsbD0ibm9uZSIgc3Ryb2tlPSIj QkJFQUZGIiBzdHJva2Utd2lkdGg9IjYiIHdpZHRoPSI1NDQiIGhlaWdodD0iNTQ0Ii8+PHBhdGgg aWQ9InBhdGgyNzk1IiBzb2RpcG9kaTpjeD0iNTYwIiBzb2RpcG9kaTpjeT0iNTYyLjUiIHNvZGlw b2RpOnR5cGU9ImFyYyIgc29kaXBvZGk6cng9IjU0NCIgc29kaXBvZGk6cnk9IjU0NCIgc29kaXBv ZGk6c3RhcnQ9IjMuMTQxNTkyNyIgc29kaXBvZGk6ZW5kPSI0LjcxMjM4OSIgc29kaXBvZGk6b3Bl bj0idHJ1ZSIgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjQkJFQUZGIiBzdHJva2Utd2lkdGg9IjYiIGQ9 IglNMTYsNTYyLjVjMC0zMDAuNDQzLDI0My41NTctNTQ0LDU0NC01NDQiLz48cGF0aCBpZD0icGF0 aDI3OTciIHNvZGlwb2RpOmN4PSI1NjAiIHNvZGlwb2RpOmN5PSIzNTQuNSIgc29kaXBvZGk6dHlw ZT0iYXJjIiBzb2RpcG9kaTpyeD0iMzM2IiBzb2RpcG9kaTpyeT0iMzM2IiBzb2RpcG9kaTpzdGFy dD0iNC43MTIzODkiIHNvZGlwb2RpOmVuZD0iNi4yODMxODUzIiBzb2RpcG9kaTpvcGVuPSJ0cnVl IiBmaWxsPSJub25lIiBzdHJva2U9IiNCQkVBRkYiIHN0cm9rZS13aWR0aD0iNiIgZD0iCU01NjAs MTguNWMxODUuNTY3LDAsMzM2LDE1MC40MzIsMzM2LDMzNiIvPjwvc3ZnPic7Cgp2YXIgY29tcGxl dGlvbkhhbmRsZXIgPSBmdW5jdGlvbihlKSB7CglpbWcgPSB0aGlzOwoJaWYoZS50eXBlID09ICJs b2FkIikgewoJCXZhciBidWZmZXIgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdjYW52YXMnKTsK CQlidWZmZXIud2lkdGggPSBpbWcud2lkdGg7CgkJYnVmZmVyLmhlaWdodCA9IGltZy5oZWlnaHQ7 CgkJYnVmZmVyLmdldENvbnRleHQoIjJkIikuZHJhd0ltYWdlKGltZywgMCwgMCk7CgkJCgkJLy8g cmVuZGVycyBmaW5lIGFuZCBzaG93cyB1cCBpbiB0aGUgYnJvd3NlcgoJCWRvY3VtZW50LmJvZHku YXBwZW5kQ2hpbGQoYnVmZmVyKTsKCQkKCQkvLyB0aGlzIGxpbmUgdGhyb3dzOgoJCS8vIFNFQ1VS SVRZX0VSUjogRE9NIEV4Y2VwdGlvbiAxODogQW4gYXR0ZW1wdCB3YXMgbWFkZSB0byBicmVhayB0 aHJvdWdoIHRoZSBzZWN1cml0eSBwb2xpY3kgb2YgdGhlIHVzZXIgYWdlbnQuCgkJZGF0YVVSTCA9 IGJ1ZmZlci50b0RhdGFVUkwoKTsKCX0KfQkKCmltZy5vbmxvYWQgPSBjb21wbGV0aW9uSGFuZGxl cjsKaW1nLnNyYyA9ICJkYXRhOmltYWdlL3N2Zyt4bWw7dXRmOCwiK2VuY29kZVVSSUNvbXBvbmVu dChzdmdEYXRhKTsKCjwvc2NyaXB0Pgo=