241718 – Video CORS requests with a 302 redirect cause tainted canvas

Bug 241718 - Video CORS requests with a 302 redirect cause tainted canvas

Summary: Video CORS requests with a 302 redirect cause tainted canvas

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Canvas (show other bugs)
Version:	Safari 15
Hardware:	Mac (Intel) macOS 12

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-06-17 10:14 PDT by Adrian Rocke
Modified:	2022-06-24 10:15 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adrian Rocke 2022-06-17 10:14:09 PDT

Overview
When a video element with crossorigin="use-credentials" receives a 302 redirect, and then is inserted into a canvas with drawImage, the canvas becomes tainted. There is no CORS error when loading the video in the first place, but the canvas is still tainted. This isn't an issue in Chrome or Firefox

Steps to Reproduce
1. Load a video from a cross origin server that redirects to another cross origin server
2. draw the image on a canvas element
3. get the image data from the canvas

You can view this page here to see the issue: https://pi-web-br-safari-bug.herokuapp.com/safari-bug
This page works in Chrome and Firefox, but not Safari.

Actual Results

operation fails because of a tainted canvas
no CORS issue is logged in developer tools

Expected Results
operation should succeed since CORS was handled correctly

Build Date & Hardware
Version 15.5 (17613.2.7.1.8) on macOS 12.4 (21F79)

Comment 1 Radar WebKit Bug Importer 2022-06-24 10:15:12 PDT

<rdar://problem/95863919>