CORS errors are broken for ImageBitmapRenderingContext (02c469f4) · Commits · eriksson monteiro / tangled

Commit 02c469f4 authored Feb 25, 2019 by

Aaron Krajeski Committed by Commit Bot Feb 25, 2019

ImageBitmapRenderingContext.toDataURL() does not throw CORS errors
when reading from a tainted canvas. It is not super urgent right now
as the entire functionality is broken, it simply returns black pixels,
so there is no security vulnerability RIGHT now. Regardless
once https://bugs.chromium.org/p/chromium/issues/detail?id=838108 is
fixed, it will expose a problem.

Currently toDataURL() in dev builds fails https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/graphics/unaccelerated_static_bitmap_image.cc?q=unaccelerated_static_bitmap_image&sq=package:chromium&dr=C&l=28
and on https://cs.chromium.org/chromium/src/cc/paint/paint_image_builder.cc?dr=C&q=paint_image_builder&sq=package:chromium&g=0&l=47
not sure when this was introduced, but as of now we have no tests for
toDataURL().

toDataURL() with LOCAL images also appears to be broken for
ImageBitmapRenderingContext, as it just returns empty images.

Will add tests and try to fix those problems in other CLs

Bug: 930057
Change-Id: Id22d22310ae2130472f1a3cbc104cfe632a7129c
Reviewed-on: https://chromium-review.googlesource.com/c/1474546Reviewed-by: Fernando Serboncini <fserb@chromium.org>
Commit-Queue: Aaron Krajeski <aaronhk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#635149}

parent 3efee5d5

@@ -32,6 +32,10 @@ void ImageBitmapRenderingContext::transferFromImageBitmap(
     return;
+  }
   if (image_bitmap && image_bitmap->WouldTaintOrigin()) {
     Host()->SetOriginTainted();
+  }
   SetImage(image_bitmap);
+}
-...

Please register or to comment