242889 2022-07-19 01:14:29 -0700 Canvas' security should not take into account Single Origin (for videos and images) 2022-11-30 17:23:51 -0800 1 1 1 Unclassified WebKit Canvas Other Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=248437 https://bugs.webkit.org/show_bug.cgi?id=248462 InRadar P2 Normal --- 1 jean-yves.avenard jean-yves.avenard bfulgham dino webkit-bug-importer wilander oldest_to_newest 1885039 0 jean-yves.avenard 2022-07-19 01:14:29 -0700 Per canvas' spec: https://html.spec.whatwg.org/multipage/canvas.html#the-image-argument-is-not-origin-clean an object image is not origin-clean if: HTMLOrSVGImageElement image's current request's image data is CORS-cross-origin. HTMLVideoElement image's media data is CORS-cross-origin. HTMLCanvasElement ImageBitmap image's bitmap's origin-clean flag is false. And as per the security's policy: https://html.spec.whatwg.org/multipage/canvas.html#security-with-canvas-elements "To mitigate this, bitmaps used with canvas elements and ImageBitmap objects are defined to have a flag indicating whether they are origin-clean. All bitmaps start with their origin-clean set to true. The flag is set to false when cross-origin images are used." And various methods will reject their promise according to this origin-clean flag. Such as getImageData: https://html.spec.whatwg.org/multipage/canvas.html#dom-context-2d-getimagedata 2. If the CanvasRenderingContext2D's origin-clean flag is set to false, then throw a "SecurityError" DOMException. `CanvasRenderingContext::wouldTaintOrigin` is the method used to determine if a particular object can be used with a canvas. Image: https://searchfox.org/wubkat/rev/3c7828ddd50109debe235dded88a94e66d33e879/Source/WebCore/html/canvas/CanvasRenderingContext.cpp#132-133 ``` if (!image->hasSingleSecurityOrigin()) return true; ``` Videos: https://searchfox.org/wubkat/rev/3c7828ddd50109debe235dded88a94e66d33e879/Source/WebCore/html/canvas/CanvasRenderingContext.cpp#154-155 ``` if (!video->hasSingleSecurityOrigin()) return true; ``` This requirement that an object used with a canvas has a single origin isn't found in the canvas spec ; only that the data is CORS-cross-origin The current implementation prevents drawing into a canvas a video that was served across multiple mirrors as is commonly found in the media world. The check that hasSingleSecurityOrigin must be true should be removed. 1885040 1 webkit-bug-importer 2022-07-19 01:14:53 -0700 <rdar://problem/97245327> 1914872 2 jean-yves.avenard 2022-11-27 16:50:37 -0800 Pull request: https://github.com/WebKit/WebKit/pull/6844 1915785 3 ews-feeder 2022-11-30 17:23:49 -0800 Committed 257207@main (2c5193d0471c): <https://commits.webkit.org/257207@main> Reviewed commits have been landed. Closing PR #6844 and removing active labels.