Bug 129172

Summary: SVG Data URLs "taint" canvas as cross-origin
Product: WebKit Reporter: Brooks <brooks>
Component: CanvasAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: ahmad.saleem792, ap, dtrebbien, krit
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test case for bug none

Description Brooks 2014-02-21 14:51:07 PST 
Created attachment 224914 [details]
Test case for bug

Related to Bug 108755 (https://bugs.webkit.org/show_bug.cgi?id=108755) that case seems to have resolved the issue for Data URLs that use base64-encoding, however when using a Data URL in utf8-encoding with SVG data, the same "SecurityError: DOM Exception 18: An attempt was made to break through the security policy of the user agent." is thrown.

To reproduce:

1. Open the attached test case.
OR
1. Generate an SVG image.
2. Add "data:image/svg+xml;utf8," as a prefix to turn it into a Data URL and set is as the "src" of an image
3. Paint that image onto a Canvas and try to call toDataURL() on it.
Comment 1 Brooks 2014-02-24 08:35:32 PST 
Correction: Data URIs in UTF8 format (data:image/svg+xml;utf8) and Base64 format (data:image/svg+xml;base64) seem to both taint the canvas; the checks to ensure an SVG source is safe seem to only check an SVG included as a remote file, and don't scan Data URI  contents themselves.
Comment 2 Dirk Schulze 2014-04-03 01:26:34 PDT 
(In reply to comment #1)
> Correction: Data URIs in UTF8 format (data:image/svg+xml;utf8) and Base64 format (data:image/svg+xml;base64) seem to both taint the canvas; the checks to ensure an SVG source is safe seem to only check an SVG included as a remote file, and don't scan Data URI  contents themselves.

We load the SVG as SVG image which should be save enough, since SVG images already make sure that the security model is followed.

A question: Can you load an embed an external SVG document in the Canvas?
Comment 3 Daniel Trebbien 2014-11-28 10:01:05 PST 
Seems to be fixed in Safari 8.0 (10600.1.25.1).
Comment 4 Ahmad Saleem 2022-06-01 02:54:40 PDT 
I am not able to reproduce the issue in Safari 15.5 on macOS 12.4 and Safari behaves same as Firefox Nightly 103. Although, Chrome Canary 104 behaves differently and does not show any picture like Firefox and Safari.

Should this be marked as "RESOLVED CONFIGURATION CHANGED"?
Comment 5 Alexey Proskuryakov 2022-06-01 18:52:04 PDT 
Thank you for checking!
Comment 6 Alexey Proskuryakov 2022-06-01 18:53:45 PDT 
Not sure what's up with Chrome, but that doesn't seem to be the same issue:

Uncaught TypeError: Cannot read properties of null (reading 'appendChild')
    at Image.completionHandler (attachment.cgi?id=224914:26:17)