New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Dec 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Feature

Blocking:
issue 563816



Sign in to add a comment
OffscreenCanvas commit() must propagate the origin-clean flag to the placeholder canvas
Project Member Reported by junov@chromium.org, Dec 12 2016 Back to list
The commit() method's implementation fails to propagate the tainting of the offscreen canvas, which makes it possible to leak cross-origin data by doing a readback on the placeholder canvas.  OffscreenCanvas may not ship without fixing this.
 
Comment 1 by junov@chromium.org, Dec 12 2016
Labels: -Type-Bug Type-Feature
Comment 2 by junov@chromium.org, Dec 12 2016
Status: Started
Project Member Comment 3 by bugdroid1@chromium.org, Dec 13 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0eea57f836fb2551563e1f18d5e91215bf0f5150

commit 0eea57f836fb2551563e1f18d5e91215bf0f5150
Author: junov <junov@chromium.org>
Date: Tue Dec 13 15:25:45 2016

Make OffscreenCanvas commit() propagate the origin-clean flag.

This change block user code from accessing cross-origin image data
from a placeholder canvas. The placeholder code was modified to
use StaticBitmapImage instead of Image to gain access to the
originClean() method without downcasting.

BUG= 673348 

Review-Url: https://codereview.chromium.org/2566313002
Cr-Commit-Position: refs/heads/master@{#438172}

[add] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/LayoutTests/http/tests/security/offscreencanvas-placeholder-read-blocked-no-crossorigin.html
[modify] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp
[modify] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/Source/modules/offscreencanvas2d/OffscreenCanvasRenderingContext2D.cpp
[modify] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/Source/platform/graphics/OffscreenCanvasFrameDispatcherImpl.cpp
[modify] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/Source/platform/graphics/OffscreenCanvasPlaceholder.cpp
[modify] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/Source/platform/graphics/OffscreenCanvasPlaceholder.h

Comment 4 by junov@chromium.org, Dec 13 2016
Status: Fixed
Sign in to add a comment