Summary: | Investigate letting foreignObject not taint the canvas when drawing svg into canvas. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Philip Rogers <pdr> | ||||||
Component: | SVG | Assignee: | Nobody <webkit-unassigned> | ||||||
Status: | NEW --- | ||||||||
Severity: | Normal | CC: | aman62, ap, bfulgham, chrishtr, dbates, dino, fred.wang, sabouhallawa, simon.fraser, thorton, webkit-bug-importer, zimmermann | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
See Also: | https://bugs.webkit.org/show_bug.cgi?id=119492 | ||||||||
Bug Depends on: | |||||||||
Bug Blocks: | 91523, 131033 | ||||||||
Attachments: |
|
Description
Philip Rogers
2016-04-04 13:18:26 PDT
FWIW, the MDN page: https://developer.mozilla.org/en-US/docs/Web/API/Canvas_API/Drawing_DOM_objects_into_a_canvas @Frederic, on the webkit-dev thread you asked "Maybe it would be worth checking with them what was their rationale to remove that restriction and if it's worth following the same approach for Blink/WebKit...". I think we could remove this restriction today, but I do not trust our implementation of foreignObject to not leak data. This problem is specific to our implementation. I think a path forward will be to have someone look very closely at <foreignObject> and the data it can leak, and then just flip the switch if it is safe (remove SVGImage::hasSingleSecurityOrigin). For WebKit, I would recommend asking someone on Apple's security team to sign off on this too. I support doing this, but it's risky; I haven't done it myself because there hasn't been enough user interest to justify it. Simon and Said, I think we're going to go ahead with this change in Blink (https://groups.google.com/a/chromium.org/d/msg/blink-dev/yYVVl5ociqA/b5387_fKDwAJ). I follow SVG commits in both Blink and WebKit and I do not know of any security/privacy differences in this area. Would you support the same change in WebKit? I can post the patch but wanted to check with you first. (In reply to comment #3) > Simon and Said, > I think we're going to go ahead with this change in Blink > (https://groups.google.com/a/chromium.org/d/msg/blink-dev/yYVVl5ociqA/ > b5387_fKDwAJ). I follow SVG commits in both Blink and WebKit and I do not > know of any security/privacy differences in this area. Would you support the > same change in WebKit? I can post the patch but wanted to check with you > first. I agree with this change since this will make WebKit compliant with the specs and the other browsers. I did a basic testing and I found out WebKt does not apply any linking style when drawing an SVG to a canvas (see attached test case). But I think the WebKit security team needs to sign off on this as well. Brent, do you agree with this change? Created attachment 298134 [details]
SVG
Created attachment 298135 [details]
test case
Thanks Said! Small update on the blink side: junov is currently writing a few more tests just to be sure®. I'll update this bug (along with a link to the patch with tests) once the full change lands in blink. Hi there, Any progress on this bug? I came across this bug while using the dom-to-image library for converting an HTML element into a sharable png image. I was hoping that we could make this work without restrictions since Google Chrome and Firefox already allows it. This issue is similar to https://bugs.webkit.org/show_bug.cgi?id=17352 |