2009-09-19 Adam Barth <abarth@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 19 Sep 2009 17:17:20 +0000 (17:17 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 19 Sep 2009 17:17:20 +0000 (17:17 +0000)
commitf3b8dbbaa10d72946345640f7fe21a2753ccb3ac
treea86f8b4f6dd0013084f033d738eb0f283fa1c695
parent948db4c5e52993fdc3d103e4af97b2605361d2bd
2009-09-19  Adam Barth  <abarth@webkit.org>

        Reviewed by Oliver Hunt.

        Canvas drawn with data URL image raises SECURITY_ERR when toDataUrl() called.
        https://bugs.webkit.org/show_bug.cgi?id=29305

        Test that drawing a data URL image onto a canvas behaves as expected.
        Note the tricky case involving a data URL SVG image with an embedded
        remote image.

        Also, test that document.domain state doesn't affect canvas taint
        state.

        * http/tests/security/canvas-remote-read-data-url-image-expected.txt: Added.
        * http/tests/security/canvas-remote-read-data-url-image.html: Added.
        * http/tests/security/canvas-remote-read-data-url-svg-image-expected.txt: Added.
        * http/tests/security/canvas-remote-read-data-url-svg-image.html: Added.
        * http/tests/security/canvas-remote-read-remote-image-document-domain-expected.txt: Added.
        * http/tests/security/canvas-remote-read-remote-image-document-domain.html: Added.
2009-09-19  Adam Barth  <abarth@webkit.org>

        Reviewed by Oliver Hunt.

        Canvas drawn with data URL image raises SECURITY_ERR when toDataUrl() called.
        https://bugs.webkit.org/show_bug.cgi?id=29305

        We need to special-case data URLs when tainting a canvas because we
        treat data URLs has having no security origin, unlike other
        browsers.  The reason we do this is to help sites avoid XSS via data
        URLs, but that consideration doesn't apply to canvas taint.

        Also, we were previously incorrectly taking document.domain state
        into account when tainting canvas.

        Tests: http/tests/security/canvas-remote-read-data-url-image.html
               http/tests/security/canvas-remote-read-data-url-svg-image.html
               http/tests/security/canvas-remote-read-remote-image-document-domain.html

        * html/canvas/CanvasRenderingContext2D.cpp:
        (WebCore::CanvasRenderingContext2D::checkOrigin):
        (WebCore::CanvasRenderingContext2D::createPattern):
        * page/SecurityOrigin.cpp:
        (WebCore::SecurityOrigin::taintsCanvas):
        * page/SecurityOrigin.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48556 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/canvas-remote-read-data-url-image-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/canvas-remote-read-data-url-image.html [new file with mode: 0644]
LayoutTests/http/tests/security/canvas-remote-read-data-url-svg-image-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/canvas-remote-read-data-url-svg-image.html [new file with mode: 0644]
LayoutTests/http/tests/security/canvas-remote-read-remote-image-document-domain-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/canvas-remote-read-remote-image-document-domain.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/html/canvas/CanvasRenderingContext2D.cpp
WebCore/page/SecurityOrigin.cpp
WebCore/page/SecurityOrigin.h