Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

drawImage() tainting may not be interoperable #4490

Closed
domenic opened this issue Mar 29, 2019 · 2 comments
Closed

drawImage() tainting may not be interoperable #4490

domenic opened this issue Mar 29, 2019 · 2 comments
Labels
needs tests Moving the issue forward requires someone to write tests security/privacy There are security or privacy implications topic: canvas topic: multiple globals

Comments

@domenic
Copy link
Member

domenic commented Mar 29, 2019

Porting from https://www.w3.org/Bugs/Public/show_bug.cgi?id=28374, where @bzbarsky says:

A page at origin X loads an image from origin Y using CORS. The page has also set document.domain so that its effective script origin is Z. It has a subframe from origin W, which has also sets document.domain to Z. The parent page then does a drawImage call on a canvas in the subframe, with the image in question.

Per current spec what happens is that the image is CORS-same-origin so its origin is X. When the drawImage call happens, whether the canvas is tainted or not depends on the origin of the entry settings object.

In other words, if a user clicks on a button in the subframe which has an event listener which makes a call to the parent which does the drawImage call, the canvas is tainted (because the entry settings origin is W, but the image origin is X).

But if the user clicks a button in the parent which has an event listener which does the drawImage call, the canvas is NOT tainted (because the entry settings origin is X, which matches the image origin).

This difference in behavior is a bit surprising.

I haven't been able to find a place to put a testcase to see what various UAs do here, but what Gecko does internally is that images actually have a "don't taint for this image" flag that's set if CORS is used during the fetch and the image is CORS-same-origin. This means that in the above situation the canvas is not tainted no matter which button is clicked.

One other note: If the image is loaded from origin X without CORS, then per spec the behavior should be the same as if it were loaded from W with CORS. At least in Gecko's implementation in this situation the canvas would get tainted no matter which of the two buttons is clicked, because we compare the image origin to the origin of the canvas node's ownerDocument, not to the entry settings origin. Again, it would be interesting to see what other UAs do.

I'll also note the connection to #1431. Maybe if we stopped using entry settings this issue would be less bad, I dunno.

We need tests to figure out how tainting is done in these situations across browsers. And maybe we could change the spec to get rid of this use of entry settings object.
@domenic domenic added topic: canvas security/privacy There are security or privacy implications topic: multiple globals needs tests Moving the issue forward requires someone to write tests labels Mar 29, 2019
@annevk
Copy link
Member

annevk commented Apr 5, 2019

This might be a duplicate of #2813 at this point?

@domenic
Copy link
Member Author

domenic commented Apr 5, 2019

Yes, good catch, I knew I saw something similar to this but hadn't found it. Let's merge there.

@domenic domenic closed this as completed Apr 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs tests Moving the issue forward requires someone to write tests security/privacy There are security or privacy implications topic: canvas topic: multiple globals
Milestone
No milestone
Development

No branches or pull requests
2 participants
@domenic @annevk