The commit() method's implementation fails to propagate the tainting of the offscreen canvas, which makes it possible to leak cross-origin data by doing a readback on the placeholder canvas. OffscreenCanvas may not ship without fixing this.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0eea57f836fb2551563e1f18d5e91215bf0f5150 commit 0eea57f836fb2551563e1f18d5e91215bf0f5150 Author: junov <junov@chromium.org> Date: Tue Dec 13 15:25:45 2016 Make OffscreenCanvas commit() propagate the origin-clean flag. This change block user code from accessing cross-origin image data from a placeholder canvas. The placeholder code was modified to use StaticBitmapImage instead of Image to gain access to the originClean() method without downcasting. BUG= 673348 Review-Url: https://codereview.chromium.org/2566313002 Cr-Commit-Position: refs/heads/master@{#438172} [add] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/LayoutTests/http/tests/security/offscreencanvas-placeholder-read-blocked-no-crossorigin.html [modify] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp [modify] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/Source/modules/offscreencanvas2d/OffscreenCanvasRenderingContext2D.cpp [modify] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/Source/platform/graphics/OffscreenCanvasFrameDispatcherImpl.cpp [modify] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/Source/platform/graphics/OffscreenCanvasPlaceholder.cpp [modify] https://crrev.com/0eea57f836fb2551563e1f18d5e91215bf0f5150/third_party/WebKit/Source/platform/graphics/OffscreenCanvasPlaceholder.h
Comment 1 by junov@chromium.org
, Dec 12 2016