A canvas should not be tainted if it draws a data URL SVGImage with a <foreignObject>
https://bugs.webkit.org/show_bug.cgi?id=180301
Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2018-01-08
Reviewed by Dean Jackson.
Source/WebCore:
Don't taint the canvas if it draws a data URL SVGImage with a <foreignObject>.
There should not be a cross-origin data leak in this case.
Tests: svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted.html
svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted.html
svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted.html
* html/ImageBitmap.cpp:
(WebCore::taintsOrigin):
* html/canvas/CanvasRenderingContext.cpp:
(WebCore::CanvasRenderingContext::wouldTaintOrigin):
LayoutTests:
* svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted-expected.txt: Added.
* svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted.html: Added.
* svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted-expected.txt: Added.
* svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted.html: Added.
* svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted-expected.txt: Added.
* svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226599
268f45cc-cd09-0410-ab3c-
d52691b4dbfc