2009-09-19 Adam Barth <abarth@webkit.org>
Reviewed by Oliver Hunt.
Canvas drawn with data URL image raises SECURITY_ERR when toDataUrl() called.
https://bugs.webkit.org/show_bug.cgi?id=29305
Test that drawing a data URL image onto a canvas behaves as expected.
Note the tricky case involving a data URL SVG image with an embedded
remote image.
Also, test that document.domain state doesn't affect canvas taint
state.
* http/tests/security/canvas-remote-read-data-url-image-expected.txt: Added.
* http/tests/security/canvas-remote-read-data-url-image.html: Added.
* http/tests/security/canvas-remote-read-data-url-svg-image-expected.txt: Added.
* http/tests/security/canvas-remote-read-data-url-svg-image.html: Added.
* http/tests/security/canvas-remote-read-remote-image-document-domain-expected.txt: Added.
* http/tests/security/canvas-remote-read-remote-image-document-domain.html: Added.
2009-09-19 Adam Barth <abarth@webkit.org>
Reviewed by Oliver Hunt.
Canvas drawn with data URL image raises SECURITY_ERR when toDataUrl() called.
https://bugs.webkit.org/show_bug.cgi?id=29305
We need to special-case data URLs when tainting a canvas because we
treat data URLs has having no security origin, unlike other
browsers. The reason we do this is to help sites avoid XSS via data
URLs, but that consideration doesn't apply to canvas taint.
Also, we were previously incorrectly taking document.domain state
into account when tainting canvas.
Tests: http/tests/security/canvas-remote-read-data-url-image.html
http/tests/security/canvas-remote-read-data-url-svg-image.html
http/tests/security/canvas-remote-read-remote-image-document-domain.html
* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::checkOrigin):
(WebCore::CanvasRenderingContext2D::createPattern):
* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::taintsCanvas):
* page/SecurityOrigin.h:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@48556
268f45cc-cd09-0410-ab3c-
d52691b4dbfc