156176 2016-04-04 13:18:26 -0700 Investigate letting foreignObject not taint the canvas when drawing svg into canvas. 2022-07-18 15:39:00 -0700 1 1 1 Unclassified WebKit SVG WebKit Nightly Build Unspecified Unspecified NEW https://bugs.webkit.org/show_bug.cgi?id=119492 InRadar P2 Normal --- 91523 131033 1 pdr webkit-unassigned aman62 ap bfulgham chrishtr dbates dino fred.wang sabouhallawa simon.fraser thorton webkit-bug-importer zimmermann oldest_to_newest 1180461 0 pdr 2016-04-04 13:18:26 -0700 Out of an abundance of caution [1] webkit currently taints the canvas when an svg image containing a foreign object is drawn into the canvas[2]. The core issue is described in https://bugs.webkit.org/show_bug.cgi?id=119492#c33. Blink also has this behavior and we recently reconsidered it in https://crbug.com/294129#c21, but no progress has been made (I will update this bug if there ever is any). I'd think we should change this, but it's risky and I haven't seen a lot of user interest in it. [1] Getting this wrong has serious issues, see: https://goo.gl/78PwDy [2] http://trac.webkit.org/browser/trunk/Source/WebCore/svg/graphics/SVGImage.cpp?rev=198655#L85 1180763 1 fred.wang 2016-04-05 02:22:48 -0700 FWIW, the MDN page: https://developer.mozilla.org/en-US/docs/Web/API/Canvas_API/Drawing_DOM_objects_into_a_canvas 1180877 2 pdr 2016-04-05 11:02:22 -0700 @Frederic, on the webkit-dev thread you asked "Maybe it would be worth checking with them what was their rationale to remove that restriction and if it's worth following the same approach for Blink/WebKit...". I think we could remove this restriction today, but I do not trust our implementation of foreignObject to not leak data. This problem is specific to our implementation. I think a path forward will be to have someone look very closely at <foreignObject> and the data it can leak, and then just flip the switch if it is safe (remove SVGImage::hasSingleSecurityOrigin). For WebKit, I would recommend asking someone on Apple's security team to sign off on this too. I support doing this, but it's risky; I haven't done it myself because there hasn't been enough user interest to justify it. 1261874 3 pdr 2016-12-20 19:04:38 -0800 Simon and Said, I think we're going to go ahead with this change in Blink (https://groups.google.com/a/chromium.org/d/msg/blink-dev/yYVVl5ociqA/b5387_fKDwAJ). I follow SVG commits in both Blink and WebKit and I do not know of any security/privacy differences in this area. Would you support the same change in WebKit? I can post the patch but wanted to check with you first. 1264240 4 sabouhallawa 2017-01-05 14:26:53 -0800 (In reply to comment #3) > Simon and Said, > I think we're going to go ahead with this change in Blink > (https://groups.google.com/a/chromium.org/d/msg/blink-dev/yYVVl5ociqA/ > b5387_fKDwAJ). I follow SVG commits in both Blink and WebKit and I do not > know of any security/privacy differences in this area. Would you support the > same change in WebKit? I can post the patch but wanted to check with you > first. I agree with this change since this will make WebKit compliant with the specs and the other browsers. I did a basic testing and I found out WebKt does not apply any linking style when drawing an SVG to a canvas (see attached test case). But I think the WebKit security team needs to sign off on this as well. Brent, do you agree with this change? 1264241 5 298134 sabouhallawa 2017-01-05 14:27:19 -0800 Created attachment 298134 SVG 1264242 6 298135 sabouhallawa 2017-01-05 14:28:25 -0800 Created attachment 298135 test case 1264243 7 pdr 2017-01-05 14:35:30 -0800 Thanks Said! Small update on the blink side: junov is currently writing a few more tests just to be sure®. I'll update this bug (along with a link to the patch with tests) once the full change lands in blink. 1398682 8 aman62 2018-02-13 09:55:47 -0800 Hi there, Any progress on this bug? I came across this bug while using the dom-to-image library for converting an HTML element into a sharable png image. I was hoping that we could make this work without restrictions since Google Chrome and Firefox already allows it. This issue is similar to https://bugs.webkit.org/show_bug.cgi?id=17352 1884926 9 webkit-bug-importer 2022-07-18 15:39:00 -0700 <rdar://problem/97224123> 298134 2017-01-05 14:27:19 -0800 2017-01-05 14:27:19 -0800 SVG link.svg image/svg+xml 725 sabouhallawa PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRw Oi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KICAgIDxzdHlsZT4KICAgICAgICBhIHJlY3Qgewog ICAgICAgICAgICBmaWxsOiBncmVlbiAKICAgICAgICB9IAogICAgICAgIGE6dmlzaXRlZCByZWN0 IHsgCiAgICAgICAgICAgIGZpbGw6IHJlZAogICAgICAgIH0KICAgIDwvc3R5bGU+CiAgICA8YSB4 bGluazpocmVmPSJodHRwczovL3dlYmtpdC5vcmcvIj4KICAgICAgICA8cmVjdCB4PSIwIiB5PSIw IiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCIvPgogICAgPC9hPgogICAgPGEgeGxpbms6aHJlZj0i aHR0cDovL3d3dy5leGFtcGxlLmNvbS8iPgogICAgICAgIDxyZWN0IHg9IjExMCIgeT0iMCIgd2lk dGg9IjEwMCIgaGVpZ2h0PSIxMDAiLz4KICAgIDwvYT4KICAgIDxmb3JlaWduT2JqZWN0IHg9IjAi IHk9IjExMCIgd2lkdGg9IjIxMCIgaGVpZ2h0PSIxMDAiPgogICAgICAgIDxib2R5IHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4KICAgICAgICAgICAgPGEgaHJlZj0iaHR0cHM6 Ly93ZWJraXQub3JnLyI+aHR0cHM6Ly93ZWJraXQub3JnLzwvYT4KICAgICAgICAgICAgPGEgaHJl Zj0iaHR0cDovL3d3dy5leGFtcGxlLmNvbSI+aHR0cDovL3d3dy5leGFtcGxlLmNvbTwvYT4KICAg ICAgICA8L2JvZHk+CiAgICA8L2ZvcmVpZ25PYmplY3Q+Cjwvc3ZnPgo= 298135 2017-01-05 14:28:25 -0800 2017-01-05 14:28:25 -0800 test case test206.html text/html 1353 sabouhallawa PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8Ym9keT4KICAgIDxoMz5pbmxpbmUgc3ZnPC9oMz4KICAg IDxzdmc+CiAgICAgICAgPHN0eWxlPgogICAgICAgICAgICBhIHJlY3QgewogICAgICAgICAgICAg ICAgZmlsbDogZ3JlZW4gCiAgICAgICAgICAgIH0gCiAgICAgICAgICAgIGE6dmlzaXRlZCByZWN0 IHsgCiAgICAgICAgICAgICAgICBmaWxsOiByZWQKICAgICAgICAgICAgfQogICAgICAgIDwvc3R5 bGU+CiAgICAgICAgPGEgeGxpbms6aHJlZj0iaHR0cHM6Ly93ZWJraXQub3JnLyI+CiAgICAgICAg ICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSIxMDAiIGhlaWdodD0iMTAwIi8+CiAgICAgICAg PC9hPgogICAgICAgIDxhIHhsaW5rOmhyZWY9Imh0dHA6Ly93d3cuZXhhbXBsZS5jb20vIj4KICAg ICAgICAgICAgPHJlY3QgeD0iMTEwIiB5PSIwIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCIvPgog ICAgICAgIDwvYT4KICAgICAgICA8Zm9yZWlnbk9iamVjdCB4PSIwIiB5PSIxMTAiIHdpZHRoPSIy MTAiIGhlaWdodD0iMTAwIj4KICAgICAgICAgICAgPGJvZHkgeG1sbnM9Imh0dHA6Ly93d3cudzMu b3JnLzE5OTkveGh0bWwiPgogICAgICAgICAgICAgICAgPGEgaHJlZj0iaHR0cHM6Ly93ZWJraXQu b3JnLyI+aHR0cHM6Ly93ZWJraXQub3JnLzwvYT4KICAgICAgICAgICAgICAgIDxhIGhyZWY9Imh0 dHA6Ly93d3cuZXhhbXBsZS5jb20iPmh0dHA6Ly93d3cuZXhhbXBsZS5jb208L2E+CiAgICAgICAg ICAgIDwvYm9keT4KICAgICAgICA8L2ZvcmVpZ25PYmplY3Q+CiAgICA8L3N2Zz4KICAgIDxoMz5h biBleHRlcm5hbCBzdmc8L2gzPgogICAgPGltZyBzcmM9Imh0dHBzOi8vYnVnLTE1NjE3Ni1hdHRh Y2htZW50cy53ZWJraXQub3JnL2F0dGFjaG1lbnQuY2dpP2lkPTI5ODEzNCI+CiAgICA8aDM+YW4g ZXh0ZXJuYWwgc3ZnIGRyYXduIHRvIGEgY2FudmFzPC9oMz4KICAgIDxjYW52YXMgd2lkdGg9IjIw MHB4IiBoZWlnaHQ9IjIwMHB4Ii8+CiAgICA8c2NyaXB0PgogICAgICAgIHZhciBzdmcgPSBuZXcg SW1hZ2UoKTsKICAgICAgICBzdmcuc3JjID0gImh0dHBzOi8vYnVnLTE1NjE3Ni1hdHRhY2htZW50 cy53ZWJraXQub3JnL2F0dGFjaG1lbnQuY2dpP2lkPTI5ODEzNCI7CgogICAgICAgIHN2Zy5vbmxv YWQgPSBmdW5jdGlvbigpIHsKICAgICAgICAgICAgdmFyIGNhbnZhcyA9IGRvY3VtZW50LmdldEVs ZW1lbnRzQnlUYWdOYW1lKCJjYW52YXMiKVswXTsKICAgICAgICAgICAgdmFyIGN0eCA9IGNhbnZh cy5nZXRDb250ZXh0KCIyZCIpOwogICAgICAgICAgICBjdHguZHJhd0ltYWdlKHN2ZywgMCwgMCk7 CiAgICAgICAgfTsKICAgIDwvc2NyaXB0Pgo8L2JvZHk+CjwvaHRtbD4K