Bug 129172

Summary: SVG Data URLs "taint" canvas as cross-origin
Product: WebKit Reporter: Brooks <brooks>
Component: CanvasAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: ahmad.saleem792, ap, dtrebbien, krit
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test case for bug none

Brooks
Reported 2014-02-21 14:51:07 PST
Created attachment 224914 [details] Test case for bug Related to Bug 108755 (https://bugs.webkit.org/show_bug.cgi?id=108755) that case seems to have resolved the issue for Data URLs that use base64-encoding, however when using a Data URL in utf8-encoding with SVG data, the same "SecurityError: DOM Exception 18: An attempt was made to break through the security policy of the user agent." is thrown. To reproduce: 1. Open the attached test case. OR 1. Generate an SVG image. 2. Add "data:image/svg+xml;utf8," as a prefix to turn it into a Data URL and set is as the "src" of an image 3. Paint that image onto a Canvas and try to call toDataURL() on it.
Attachments
Test case for bug (5.31 KB, text/html)
2014-02-21 14:51 PST, Brooks 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Brooks
Comment 1 2014-02-24 08:35:32 PST
Correction: Data URIs in UTF8 format (data:image/svg+xml;utf8) and Base64 format (data:image/svg+xml;base64) seem to both taint the canvas; the checks to ensure an SVG source is safe seem to only check an SVG included as a remote file, and don't scan Data URI contents themselves.
Dirk Schulze
Comment 2 2014-04-03 01:26:34 PDT
(In reply to comment #1) > Correction: Data URIs in UTF8 format (data:image/svg+xml;utf8) and Base64 format (data:image/svg+xml;base64) seem to both taint the canvas; the checks to ensure an SVG source is safe seem to only check an SVG included as a remote file, and don't scan Data URI contents themselves. We load the SVG as SVG image which should be save enough, since SVG images already make sure that the security model is followed. A question: Can you load an embed an external SVG document in the Canvas?
Daniel Trebbien
Comment 3 2014-11-28 10:01:05 PST
Seems to be fixed in Safari 8.0 (10600.1.25.1).
Ahmad Saleem
Comment 4 2022-06-01 02:54:40 PDT
I am not able to reproduce the issue in Safari 15.5 on macOS 12.4 and Safari behaves same as Firefox Nightly 103. Although, Chrome Canary 104 behaves differently and does not show any picture like Firefox and Safari. Should this be marked as "RESOLVED CONFIGURATION CHANGED"?
Alexey Proskuryakov
Comment 5 2022-06-01 18:52:04 PDT
Thank you for checking!
Alexey Proskuryakov
Comment 6 2022-06-01 18:53:45 PDT
Not sure what's up with Chrome, but that doesn't seem to be the same issue: Uncaught TypeError: Cannot read properties of null (reading 'appendChild') at Image.completionHandler (attachment.cgi?id=224914:26:17)
Note You need to log in before you can comment on or make changes to this bug.