A canvas should not be tainted if it draws a data URL SVGImage with a <foreignObject>
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Jan 2018 00:35:35 +0000 (00:35 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Jan 2018 00:35:35 +0000 (00:35 +0000)
commit74a038e32ddb3574d5040b5e85b56a8eac43f97d
tree903538bca7cbf541df7625ebe095f19f62a63fe0
parent923f58af4b067179908e38819d5d8c9219602222
A canvas should not be tainted if it draws a data URL SVGImage with a <foreignObject>
https://bugs.webkit.org/show_bug.cgi?id=180301

Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2018-01-08
Reviewed by Dean Jackson.

Source/WebCore:

Don't taint the canvas if it draws a data URL SVGImage with a <foreignObject>.
There should not be a cross-origin data leak in this case.

Tests: svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted.html
       svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted.html
       svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted.html

* html/ImageBitmap.cpp:
(WebCore::taintsOrigin):
* html/canvas/CanvasRenderingContext.cpp:
(WebCore::CanvasRenderingContext::wouldTaintOrigin):

LayoutTests:

* svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted-expected.txt: Added.
* svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted.html: Added.
* svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted-expected.txt: Added.
* svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted.html: Added.
* svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted-expected.txt: Added.
* svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226599 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted-expected.txt [new file with mode: 0644]
LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted.html [new file with mode: 0644]
LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted-expected.txt [new file with mode: 0644]
LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted.html [new file with mode: 0644]
LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted-expected.txt [new file with mode: 0644]
LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/ImageBitmap.cpp
Source/WebCore/html/canvas/CanvasRenderingContext.cpp