248462 2022-11-29 01:05:52 -0800 Canvas check for painting videos is incorrect. 2023-01-19 13:20:06 -0800 1 1 1 Unclassified WebKit Media Other Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=242889 InRadar P2 Normal --- 1 jean-yves.avenard mattwoodrow webkit-bug-importer oldest_to_newest 1915247 0 jean-yves.avenard 2022-11-29 01:05:52 -0800 Similar to bug 242889, that cause the same end result but for a slightly different reason. Canvas' security should not take into account Single Origin (for videos and images) Per canvas' spec: https://html.spec.whatwg.org/multipage/canvas.html#the-image-argument-is-not-origin-clean an object image is not origin-clean if: HTMLOrSVGImageElement image's current request's image data is CORS-cross-origin. HTMLVideoElement image's media data is CORS-cross-origin. HTMLCanvasElement ImageBitmap image's bitmap's origin-clean flag is false. The definition for CORS-cross-origin is: https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-cross-origin "A response whose type is "opaque" or "opaqueredirect" is CORS-cross-origin." However, the `bool CanvasRenderingContext::wouldTaintOrigin(const HTMLVideoElement* video)` method to perform this check does: ``` if (!video->didPassCORSAccessCheck() && video->wouldTaintOrigin(*m_canvas.securityOrigin())) return true; ``` When a video is decoded via AVFoundation; the method wouldTaintOrigin does the following in WebCoreNSURLSession: ``` - (BOOL)wouldTaintOrigin:(const WebCore::SecurityOrigin &)origin { for (auto& responseOrigin : _origins) { if (!origin.isSameOriginDomain(*responseOrigin)) return true; } return false; } ``` so it only checks that the origin is the same across all responses. This isn't per spec, the origin should be ignored and instead we should rely on the CORS cross-origin data. 1915248 1 webkit-bug-importer 2022-11-29 01:06:12 -0800 <rdar://problem/102754474> 1925716 2 mattwoodrow 2023-01-15 16:38:30 -0800 Pull request: https://github.com/WebKit/WebKit/pull/8603 1926700 3 ews-feeder 2023-01-19 13:19:51 -0800 Committed 259108@main (ec3e1edcb9e5): <https://commits.webkit.org/259108@main> Reviewed commits have been landed. Closing PR #8603 and removing active labels.