248437 2022-11-28 15:57:09 -0800 Canvas' security should not take into account Single Origin for SVG images 2022-11-28 16:19:07 -0800 1 1 1 Unclassified WebKit Canvas Other Unspecified Unspecified NEW https://bugs.webkit.org/show_bug.cgi?id=242889 InRadar P2 Normal --- 119639 1 jean-yves.avenard webkit-unassigned dino webkit-bug-importer oldest_to_newest 1915146 0 jean-yves.avenard 2022-11-28 15:57:09 -0800 This is similar to bug 242889, but requires a more extensive solution. Per canvas' spec: https://html.spec.whatwg.org/multipage/canvas.html#the-image-argument-is-not-origin-clean an object image is not origin-clean if: HTMLOrSVGImageElement image's current request's image data is CORS-cross-origin. And as per the security's policy: https://html.spec.whatwg.org/multipage/canvas.html#security-with-canvas-elements "To mitigate this, bitmaps used with canvas elements and ImageBitmap objects are defined to have a flag indicating whether they are origin-clean. All bitmaps start with their origin-clean set to true. The flag is set to false when cross-origin images are used." And various methods will reject their promise according to this origin-clean flag. Such as getImageData: https://html.spec.whatwg.org/multipage/canvas.html#dom-context-2d-getimagedata 2. If the CanvasRenderingContext2D's origin-clean flag is set to false, then throw a "SecurityError" DOMException. `CanvasRenderingContext::wouldTaintOrigin` is the method used to determine if a particular object can be used with a canvas. Image: https://searchfox.org/wubkat/rev/3c7828ddd50109debe235dded88a94e66d33e879/Source/WebCore/html/canvas/CanvasRenderingContext.cpp#132-133 ``` if (!image->hasSingleSecurityOrigin()) return true; ``` The requirement that the SVG be of a single security origin is incorrect. It was introduced in https://trac.webkit.org/changeset/195614/webkit which made foreignObject regardless of their cross-origin data to taint the image. 1915157 1 jean-yves.avenard 2022-11-28 16:18:58 -0800 rdar://102738351