Disallow non-origin-clean ImageBitmap serialization/transferring

Intent-to-Deprecate-and-Remove: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/Z1XdYf6SjDU Bug: 1013087 Change-Id: I34be2e59d6fa44834333e368dbd06a5e2cf1b876 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1942187Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#720130}

Disallow non-origin-clean ImageBitmap serialization/transferring
Intent-to-Deprecate-and-Remove: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/Z1XdYf6SjDU Bug: 1013087 Change-Id: I34be2e59d6fa44834333e368dbd06a5e2cf1b876 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1942187Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#720130}
355464e4 · Yutaka Hirano · Commit Bot · ce0b2e0b · 355464e4 · 355464e4
Commit 355464e4 authored Nov 29, 2019 by Yutaka Hirano Committed by Commit Bot Nov 29, 2019
7 changed files
--- a/third_party/blink/renderer/bindings/core/v8/serialization/v8_script_value_deserializer.cc
+++ b/third_party/blink/renderer/bindings/core/v8/serialization/v8_script_value_deserializer.cc
@@ -350,6 +350,11 @@ ScriptWrappable* V8ScriptValueDeserializer::ReadDOMObject(
      if (!computed_byte_length.IsValid() ||
          computed_byte_length.ValueOrDie() != byte_length)
        return nullptr;
+      if (!origin_clean) {
+        // Non-origin-clean ImageBitmap serialization/deserialization have
+        // been deprecated.
+        return nullptr;
+      }
      return ImageBitmap::Create(pixels, width, height, is_premultiplied,
                                 origin_clean, color_params);
    }

--- a/third_party/blink/renderer/bindings/core/v8/serialization/v8_script_value_serializer.cc
+++ b/third_party/blink/renderer/bindings/core/v8/serialization/v8_script_value_serializer.cc
@@ -271,8 +271,10 @@ bool V8ScriptValueSerializer::WriteDOMObject(ScriptWrappable* wrappable,
        execution_context->CountUse(
            mojom::WebFeature::kOriginCleanImageBitmapTransfer);
      } else {
-        execution_context->CountUse(
+        exception_state.ThrowDOMException(
-            mojom::WebFeature::kNonOriginCleanImageBitmapTransfer);
+            DOMExceptionCode::kDataCloneError,
+            "Non-origin-clean ImageBitmap cannot be transferred.");
+        return false;
      }
      DCHECK_LE(index, std::numeric_limits<uint32_t>::max());
@@ -286,8 +288,10 @@ bool V8ScriptValueSerializer::WriteDOMObject(ScriptWrappable* wrappable,
      execution_context->CountUse(
          mojom::WebFeature::kOriginCleanImageBitmapSerialization);
    } else {
-      execution_context->CountUse(
+      exception_state.ThrowDOMException(
-          mojom::WebFeature::kNonOriginCleanImageBitmapSerialization);
+          DOMExceptionCode::kDataCloneError,
+          "Non-origin-clean ImageBitmap cannot be cloned.");
+      return false;
    }
    WriteTag(kImageBitmapTag);
    SerializedColorParams color_params(image_bitmap->GetCanvasColorParams());

--- a/third_party/blink/web_tests/external/wpt/2dcontext/imagebitmap/no-coop-coep.https.window-expected.txt
+++ b/third_party/blink/web_tests/external/wpt/2dcontext/imagebitmap/no-coop-coep.https.window-expected.txt
 This is a testharness.js-based test.
-FAIL BroadcastChannel'ing a tainted ImageBitmap to a COOP+COEP popup assert_equals: expected "Got failure as expected." but got "Got message, expected failure."
+FAIL BroadcastChannel'ing a tainted ImageBitmap to a COOP+COEP popup Failed to execute 'postMessage' on 'BroadcastChannel': Non-origin-clean ImageBitmap cannot be cloned.
-FAIL Messaging a tainted ImageBitMap via serialize/deserialize to a COEP shared worker assert_equals: expected "Got failure as expected." but got "Got message, expected failure."
+FAIL Messaging a tainted ImageBitMap via serialize/deserialize to a COEP shared worker Failed to execute 'postMessage' on 'MessagePort': Non-origin-clean ImageBitmap cannot be cloned.
-FAIL Messaging a tainted ImageBitMap via transfer to a COEP shared worker assert_equals: expected "Got failure as expected." but got "Got message, expected failure."
+FAIL Messaging a tainted ImageBitMap via transfer to a COEP shared worker Failed to execute 'postMessage' on 'MessagePort': Non-origin-clean ImageBitmap cannot be transferred.
 Harness: the test ran to completion.
--- a/third_party/blink/web_tests/http/tests/security/cross-origin-OffscreenCanvas2D-transferToImageBitmap-expected.txt
+++ b/third_party/blink/web_tests/http/tests/security/cross-origin-OffscreenCanvas2D-transferToImageBitmap-expected.txt
-The taintedness of the imagebitmap drawn to OffscrenCanvas must be transfered
+A tainted imagebitmap drawn to OffscrenCanvas cannot be transfered
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-PASS ImageBitmap is tainted. Threw error: SecurityError: Failed to execute 'getImageData' on 'CanvasRenderingContext2D': The canvas has been tainted by cross-origin data.
+PASS A tainted ImageBitmap cannot be transferred
 PASS successfullyParsed is true
 TEST COMPLETE

--- a/third_party/blink/web_tests/http/tests/security/cross-origin-OffscreenCanvas2D-transferToImageBitmap.html
+++ b/third_party/blink/web_tests/http/tests/security/cross-origin-OffscreenCanvas2D-transferToImageBitmap.html
@@ -3,59 +3,34 @@
 <body>
 <canvas id='output' width='200' height='400'></canvas>
 <script src="/js-test-resources/js-test.js"></script>
-<script id='myWorker' type='text/worker'>
-self.onmessage = function(e) {
-    var aCanvas = new OffscreenCanvas(200, 400);
-    var ctx = aCanvas.getContext('2d');
-    // Draw a tainted imagebitmap into OffscreenCanvas 2d
-    ctx.drawImage(e.data, 0, 0, 10, 10);
-    var image = aCanvas.transferToImageBitmap();
-    self.postMessage(image, [image]);
-};
-</script>
 <script>
-description("The taintedness of the imagebitmap drawn to OffscrenCanvas must be transfered");
+description("A tainted imagebitmap drawn to OffscrenCanvas cannot be transfered");
 window.jsTestIsAsync = true;
-function shouldBeTainted(imageBitmap) {
-    var canvas = document.createElement("canvas");
-    canvas.width = 10;
-    canvas.height = 10;
-    var context = canvas.getContext("2d");
-    context.drawImage(imageBitmap, 0, 0, 10, 10);
-    try {
-        var imageData = context.getImageData(0, 0, 10, 10);
-        testFailed("ImageBitmap is not tainted.");
-    } catch (e) {
-        testPassed("ImageBitmap is tainted. Threw error: " + e);
-    }
-}
-var blob = new Blob([document.getElementById('myWorker').textContent]);
-var worker = new Worker(URL.createObjectURL(blob));
-worker.addEventListener('message', msg => {
-    shouldBeTainted(msg.data);
-    finishJSTest();
-});
 var image = document.createElement('img');
 image.src = 'http://localhost:8080/security/resources/abe.png';
 image.addEventListener('load', function() {
    createImageBitmap(image, 0, 0, 10, 10).then(
-        function(imagebitmap) {
+        function(originalImagebitmap) {
-            // Post the tainted imagebitmap to worker
+            const aCanvas = new OffscreenCanvas(200, 400);
-            worker.postMessage(imagebitmap, [imagebitmap]);
+            const ctx = aCanvas.getContext('2d');
-        },
+            // Draw a tainted imagebitmap into OffscreenCanvas 2d
-        function(e) {
+            ctx.drawImage(originalImagebitmap, 0, 0, 10, 10);
+            const newImageBitmap = aCanvas.transferToImageBitmap();
+            try {
+                window.postMessage(newImageBitmap, [newImageBitmap]);
+                testFailed("A tainted ImageBitmap cannot be transferred");
+                finishJSTest();
+            } catch (e) {
+                testPassed("A tainted ImageBitmap cannot be transferred");
+                finishJSTest();
+            }
+        }).catch((e) => {
            testFailed("Image rejected unexpectedly. ");
            debug(e);
-        }
+        });
-    );
+    });
-});
 </script>
 </body>
 </html>
--- a/third_party/blink/web_tests/http/tests/security/cross-origin-createImageBitmap-structured-clone.html
+++ b/third_party/blink/web_tests/http/tests/security/cross-origin-createImageBitmap-structured-clone.html
@@ -18,21 +18,16 @@ async_test(function(t) {
    var returnedBitmap;
    var image = new Image();
-    image.onload = function() {
+    image.onload = t.step_func(() => {
        shouldBeTainted(image);
-        createImageBitmap(image).then(imageBitmap => {
+        createImageBitmap(image).then(t.step_func((imageBitmap) => {
-            worker.postMessage({data:imageBitmap}, [imageBitmap]);
+            assert_throws('DataCloneError',
-            worker.onmessage = t.step_func(onMessage);
+                          () => worker.postMessage({data:imageBitmap}, [imageBitmap]));
+            t.done();
+        }));
    });
-    }
    image.src = 'http://localhost:8080/security/resources/abe.png';
-    function onMessage(e) {
-        returnedBitmap = e.data.data;
-        shouldBeTainted(returnedBitmap);
-        t.done();
-    }
    function shouldBeTainted(imageBitmap) {
        var canvas = document.createElement("canvas");
        canvas.width = 10;

--- a/third_party/blink/web_tests/http/tests/security/cross-origin-createImageBitmap-useCounter.html
+++ b/third_party/blink/web_tests/http/tests/security/cross-origin-createImageBitmap-useCounter.html
@@ -40,9 +40,7 @@ promise_test(async (t) => {
  assert_false(internals.isUseCounted(document, FEATURE));
-  postMessage(bitmap, '*');
+  assert_throws('DataCloneError', () => postMessage(bitmap, '*'));
-  assert_true(internals.isUseCounted(document, FEATURE));
 }, 'non-origin-clean, serialization');
 promise_test(async (t) => {
@@ -64,9 +62,7 @@ promise_test(async (t) => {
  assert_false(internals.isUseCounted(document, FEATURE));
-  postMessage(bitmap, '*', [bitmap]);
+  assert_throws('DataCloneError', () => postMessage(bitmap, '*', [bitmap]));
-  assert_true(internals.isUseCounted(document, FEATURE));
 }, 'non-origin-clean, transfer');
 </script>
 </body>