Diff
Modified: branches/safari-605-branch/LayoutTests/ChangeLog (226848 => 226849)
--- branches/safari-605-branch/LayoutTests/ChangeLog 2018-01-12 04:52:15 UTC (rev 226848)
+++ branches/safari-605-branch/LayoutTests/ChangeLog 2018-01-12 04:52:20 UTC (rev 226849)
@@ -1,5 +1,23 @@
2018-01-11 Jason Marcell <[email protected]>
+ Cherry-pick r226599. rdar://problem/36429130
+
+ 2018-01-08 Said Abou-Hallawa <[email protected]>
+
+ A canvas should not be tainted if it draws a data URL SVGImage with a <foreignObject>
+ https://bugs.webkit.org/show_bug.cgi?id=180301
+
+ Reviewed by Dean Jackson.
+
+ * svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted-expected.txt: Added.
+ * svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted.html: Added.
+ * svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted-expected.txt: Added.
+ * svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted.html: Added.
+ * svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted-expected.txt: Added.
+ * svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted.html: Added.
+
+2018-01-11 Jason Marcell <[email protected]>
+
Cherry-pick r226527. rdar://problem/36429143
2018-01-08 Basuke Suzuki <[email protected]>
Added: branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted-expected.txt (0 => 226849)
--- branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted-expected.txt (rev 0)
+++ branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted-expected.txt 2018-01-12 04:52:20 UTC (rev 226849)
@@ -0,0 +1,10 @@
+Canvas should not be tainted if a data url image with a data url <feimage> which has a <foreignObject> is drawn into the canvas.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS window.ctx.getImageData(0, 0, 1, 1) did not throw exception.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted.html (0 => 226849)
--- branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted.html (rev 0)
+++ branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted.html 2018-01-12 04:52:20 UTC (rev 226849)
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<head>
+ <script src=""
+</head>
+<body>
+ <canvas></canvas>
+ <script type="text/_javascript_">
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ jsTestIsAsync = true;
+ description("Canvas should not be tainted if a data url image with a data url <feimage> which has a <foreignObject> is drawn into the canvas.");
+
+ var data = ""
+ + '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100px" height="100px">'
+ + ' <defs>'
+ + ' <filter id="image">'
+ + ' <feImage xlink:href=""
+ + ' PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMDBweCIgaGVpZ2h0PSIxMDBweCI+DQog'
+ + ' ICAgPGZvcmVpZ25PYmplY3Qgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwJSI+DQogICAgICAgIDxkaXYgeG1sbnM9Imh0dHA6'
+ + ' Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIHN0eWxlPSJ3aWR0aDogMTAwJTsgaGVpZ2h0OiAxMDAlOyBiYWNrZ3JvdW5kLWNv'
+ + ' bG9yOiBncmVlbjsiPjwvZGl2Pg0KICAgIDwvZm9yZWlnbk9iamVjdD4nDQo8L3N2Zz4NCg0K">'
+ + ' </feImage>'
+ + ' </filter>'
+ + ' </defs>'
+ + ' <rect width="100%" height="100%" style="filter:url(#image);"/>'
+ + '</svg>';
+
+ var svg = new Image();
+ svg._onload_ = function() {
+ var canvas = document.querySelector('canvas');
+ window.ctx = canvas.getContext('2d');
+
+ // Wait for the data uri in the image to load.
+ setTimeout(function() {
+ ctx.drawImage(svg, 0, 0);
+ shouldNotThrow("window.ctx.getImageData(0, 0, 1, 1)");
+ finishJSTest();
+ }, 50);
+ }
+ svg.src = ""
+ </script>
+ <script src=""
+</body>
+</html>
Added: branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted-expected.txt (0 => 226849)
--- branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted-expected.txt (rev 0)
+++ branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted-expected.txt 2018-01-12 04:52:20 UTC (rev 226849)
@@ -0,0 +1,10 @@
+Canvas should not be tainted if a data url image with a <foreignObject> is drawn into the canvas.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS window.ctx.getImageData(0, 0, 1, 1) did not throw exception.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted.html (0 => 226849)
--- branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted.html (rev 0)
+++ branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted.html 2018-01-12 04:52:20 UTC (rev 226849)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<head>
+ <script src=""
+</head>
+<body>
+ <canvas></canvas>
+ <script type="text/_javascript_">
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ jsTestIsAsync = true;
+ description("Canvas should not be tainted if a data url image with a <foreignObject> is drawn into the canvas.");
+
+ var data = ""
+ + '<svg xmlns="http://www.w3.org/2000/svg">'
+ + ' <foreignObject width="100%" height="100%">'
+ + ' <div xmlns="http://www.w3.org/1999/xhtml" style="width:100px; height: 100px; background-color: green;"></div>'
+ + ' </foreignObject>'
+ + '</svg>';
+
+ var svg = new Image();
+ svg._onload_ = function() {
+ var canvas = document.querySelector('canvas');
+ window.ctx = canvas.getContext('2d');
+ ctx.drawImage(svg, 0, 0);
+ shouldNotThrow("window.ctx.getImageData(0, 0, 1, 1)");
+ finishJSTest();
+ }
+ svg.src = ""
+ </script>
+ <script src=""
+</body>
+</html>
Added: branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted-expected.txt (0 => 226849)
--- branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted-expected.txt (rev 0)
+++ branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted-expected.txt 2018-01-12 04:52:20 UTC (rev 226849)
@@ -0,0 +1,10 @@
+Canvas should not be tainted if a data url image with a data url <image> which has a <foreignObject> is drawn into the canvas.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS window.ctx.getImageData(0, 0, 1, 1) did not throw exception.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted.html (0 => 226849)
--- branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted.html (rev 0)
+++ branches/safari-605-branch/LayoutTests/svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted.html 2018-01-12 04:52:20 UTC (rev 226849)
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<head>
+ <script src=""
+</head>
+<body>
+ <canvas></canvas>
+ <script type="text/_javascript_">
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ jsTestIsAsync = true;
+ description("Canvas should not be tainted if a data url image with a data url <image> which has a <foreignObject> is drawn into the canvas.");
+
+ var data = ""
+ + '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100px" height="100px">'
+ + ' <image width="100" height="100" xlink:href=""
+ + ' PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMDBweCIgaGVpZ2h0PSIxMDBweCI+DQog'
+ + ' ICAgPGZvcmVpZ25PYmplY3Qgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwJSI+DQogICAgICAgIDxkaXYgeG1sbnM9Imh0dHA6'
+ + ' Ly93d3cudzMub3JnLzE5OTkveGh0bWwiIHN0eWxlPSJ3aWR0aDogMTAwJTsgaGVpZ2h0OiAxMDAlOyBiYWNrZ3JvdW5kLWNv'
+ + ' bG9yOiBncmVlbjsiPjwvZGl2Pg0KICAgIDwvZm9yZWlnbk9iamVjdD4nDQo8L3N2Zz4NCg0K">'
+ + ' </image>'
+ + '</svg>';
+
+ var svg = new Image();
+ svg._onload_ = function() {
+ var canvas = document.querySelector('canvas');
+ window.ctx = canvas.getContext('2d');
+
+ // Wait for the data uri in the image to load.
+ setTimeout(function() {
+ ctx.drawImage(svg, 0, 0);
+ shouldNotThrow("window.ctx.getImageData(0, 0, 1, 1)");
+ finishJSTest();
+ }, 50);
+ }
+ svg.src = ""
+ </script>
+ <script src=""
+</body>
+</html>
Modified: branches/safari-605-branch/Source/WebCore/ChangeLog (226848 => 226849)
--- branches/safari-605-branch/Source/WebCore/ChangeLog 2018-01-12 04:52:15 UTC (rev 226848)
+++ branches/safari-605-branch/Source/WebCore/ChangeLog 2018-01-12 04:52:20 UTC (rev 226849)
@@ -1,5 +1,28 @@
2018-01-11 Jason Marcell <[email protected]>
+ Cherry-pick r226599. rdar://problem/36429130
+
+ 2018-01-08 Said Abou-Hallawa <[email protected]>
+
+ A canvas should not be tainted if it draws a data URL SVGImage with a <foreignObject>
+ https://bugs.webkit.org/show_bug.cgi?id=180301
+
+ Reviewed by Dean Jackson.
+
+ Don't taint the canvas if it draws a data URL SVGImage with a <foreignObject>.
+ There should not be a cross-origin data leak in this case.
+
+ Tests: svg/as-image/svg-canvas-data-url-svg-with-feimage-not-tainted.html
+ svg/as-image/svg-canvas-data-url-svg-with-foreign-object-not-tainted.html
+ svg/as-image/svg-canvas-data-url-svg-with-image-not-tainted.html
+
+ * html/ImageBitmap.cpp:
+ (WebCore::taintsOrigin):
+ * html/canvas/CanvasRenderingContext.cpp:
+ (WebCore::CanvasRenderingContext::wouldTaintOrigin):
+
+2018-01-11 Jason Marcell <[email protected]>
+
Revert r226013. rdar://problem/36096522
2018-01-11 Jason Marcell <[email protected]>
Modified: branches/safari-605-branch/Source/WebCore/html/ImageBitmap.cpp (226848 => 226849)
--- branches/safari-605-branch/Source/WebCore/html/ImageBitmap.cpp 2018-01-12 04:52:15 UTC (rev 226848)
+++ branches/safari-605-branch/Source/WebCore/html/ImageBitmap.cpp 2018-01-12 04:52:20 UTC (rev 226849)
@@ -102,6 +102,9 @@
if (!image)
return false;
+ if (image->sourceURL().protocolIsData())
+ return false;
+
if (!image->hasSingleSecurityOrigin())
return true;
Modified: branches/safari-605-branch/Source/WebCore/html/canvas/CanvasRenderingContext.cpp (226848 => 226849)
--- branches/safari-605-branch/Source/WebCore/html/canvas/CanvasRenderingContext.cpp 2018-01-12 04:52:15 UTC (rev 226848)
+++ branches/safari-605-branch/Source/WebCore/html/canvas/CanvasRenderingContext.cpp 2018-01-12 04:52:20 UTC (rev 226849)
@@ -81,6 +81,9 @@
if (!image)
return false;
+ if (image->sourceURL().protocolIsData())
+ return false;
+
if (!image->hasSingleSecurityOrigin())
return true;
