New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Closed: Jul 2016
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature

Blocked on:
issue 563826
issue 563868
issue 607575

issue 563816
issue 606925

Sign in to add a comment
Implement content security in OffscreenCanvas
Project Member Reported by, Dec 1 2015 Back to list
OffscreenCanvas should have an origin-claen flag.
It should be tainted based on the same rules as <canvas>.
transferToImageBitmap() propagates the tainting.

Comment 1 by, Dec 1 2015
Blocking: chromium:563816
Comment 2 by, Apr 26 2016
Labels: -OffscreenCanvas OffScreenCanvas
Status: Started
Comment 3 by, Apr 26 2016
Blocking: 606925
Comment 4 by, Apr 26 2016
junov@: Do we want to re-use the disableReadingFromCanvas flag in OffscreenCanvas as well? Or create a new flag?
Comment 5 by, Apr 27 2016
As discussed, same flag sgtm.
Project Member Comment 6 by, May 2 2016
The following revision refers to this bug:

commit 23378f8baae5d52320bb4652984b3f045f0bd95e
Author: xlai <>
Date: Mon May 02 18:33:02 2016

Add drawImage() originClean() getSecurityOrigin() to OffscreenCanvas

This patch adds m_originClean flag to OffscreenCanvas and
 ensures that OCRC2D also use the value of this flag instead
of keeping its own redundant copy. It propagates the value of
 originClean in transferToImageBitmap().

This patch also expose drawImage() API functions in ORCRC2D in workers.

BUG= 563870 ,  563856 

Cr-Commit-Position: refs/heads/master@{#391002}


Comment 7 by, May 10 2016
Blockedon: 607575
To add the flag, need to make flags usable on worker thread.
Comment 8 by, Jul 21 2016
Components: Blink>SecurityFeature
Labels: -OffScreenCanvas OffscreenCanvas
Comment 9 by, Jul 27 2016
Status: Fixed
OffscreenCanvas::originClean() now has the same implementation as HTMLCanvasElement::originClean(). Both its 2d context and webgl context can look up this function when needed.
Sign in to add a comment