Summary: | safe <img src=data:...> should not mark <canvas> unsafe | ||
---|---|---|---|
Product: | WebKit | Reporter: | Anne van Kesteren <annevk> |
Component: | Layout and Rendering | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED DUPLICATE | ||
Severity: | Normal | CC: | abarth, grahamperrin, mihai.sucan, oliver, sam |
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | PC | ||
OS: | OS X 10.5 |
Description
Anne van Kesteren
2008-02-02 02:27:21 PST
Anne, the issue is how you identify a safe vs. unsafe data uri when all you have is a string "data:...." which is the case when the src is set on an image. How is it possible to work around this? You can achieve the goal of storage relatively simply through the use of ImageData, although you would unfortunately need to do your own serialisation :-/ The string "data:..." is always safe. (Consider that the author can do anything with it.) (ImageData doesn't really work well, as it varies based on device resolution, etc. It's not really fit for storage.) But what happens if i have a data uri that is the result of a redirect? eg. img src="example.com/redirectToDataURI" ? I'll admit i really don't know how this should effect the model, as this is much more towards Sam's area of expertise. I agree with Anne on this. data: urls are safe and should not taint the canvas. The redirection should not be an issue as we will not be basing our tainting policy on the resolved url, but rather the provided one. > The redirection should not be an issue as we will not be basing our
> tainting policy on the resolved url, but rather the provided one.
It seems like both URLs are important to consider. Maybe I'm misunderstanding, but suppose site A includes an image from itself, but the URL actually redirects to site B. Shouldn't that taint the canvas as cross-origin even though the provided URL matched the original site?
I was only referring to the data: url case. In general, I believe we need to base our tainting policy on the resolved URL. (In reply to comment #6) > I was only referring to the data: url case. In general, I believe we need to > base our tainting policy on the resolved URL. For data: URLs, since the resolved URL has ambiguous taint, would it be possible to use the second-to-last URL in the redirect chain? (the one that provided a redirect to the ambiguous data: URL) Are there any cases where the second-to-last URL would also be ambiguous? I bumped into this bug working on my Web application which uses Canvas. In Gecko 1.9.0 images with a data URL did mark the canvas as unsafe. Gecko 1.9.1 fixes this issue and now we can draw images with data URLs in Opera and Firefox as well. I would suggest that Webkit does the same. With regards to the redirection problem I'd say just mark the canvas as unsafe if the data URL comes from a redirection. |