mozilla-central: changeset 457908:74bc4bd79017220e244bfdd9aa5ef82355c11039

author	Matt Falkenhagen <falken@chromium.org>
	Thu, 31 Jan 2019 15:46:15 +0000
changeset 457908	74bc4bd79017220e244bfdd9aa5ef82355c11039
parent 457907	116c44563b93fddd51887895aed54ef04de30932
child 457909	7a9a6b22b7ba554c9be5fa0634e2a2f955492888
push id	35518
push user	opoprus@mozilla.com
push date	Fri, 08 Feb 2019 09:55:14 +0000
treeherder	mozilla-central@3a3e393396f4 [default view] [failures only]
perfherder	[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers	testonly
bugs	1518563, 14750, 294129, 1347953, 918460, 1400433, 620985
milestone	67.0a1
first release with	nightly linux32 3a3e393396f4 / 67.0a1 / 20190208095514 / files nightly linux64 3a3e393396f4 / 67.0a1 / 20190208095514 / files nightly mac 3a3e393396f4 / 67.0a1 / 20190208095514 / files nightly win32 3a3e393396f4 / 67.0a1 / 20190208095514 / files nightly win64 3a3e393396f4 / 67.0a1 / 20190208095514 / files
last release without	nightly linux32 4e98200ee530 / 67.0a1 / 20190207214423 / files nightly linux64 4e98200ee530 / 67.0a1 / 20190207214423 / files nightly mac 4e98200ee530 / 67.0a1 / 20190207214423 / files nightly win32 4e98200ee530 / 67.0a1 / 20190207214423 / files nightly win64 4e98200ee530 / 67.0a1 / 20190207214423 / files

Bug 1518563 [wpt PR 14750] - canvas: Restore the data: URL special case for tainting., a=testonly Automatic update from web-platform-tests canvas: Restore the data: URL special case for tainting. CanvasRenderingContext::WouldTaintOrigin() had a special case for data URLs that was removed in r610498.[1] The assumption was that just calling CanvasImageSource::WouldTaintOrigin() would return false on data URLs. It turns out that function can return true due to a historical restriction on SVG foreign object nodes, as discussed in bug 294129. This CL reverses that behavior change, so data URLs again don't taint the canvas. It partially reverts r610498 and dependent change r613433. A WPT test is added. Chrome now passes the test despite bug 294129 being open because it has this special case for data URLs on canvas. [1] https://chromium-review.googlesource.com/c/chromium/src/+/1347953 Bug: 294129, 918460 Change-Id: I7c8cb4d37d950693956785c291dfd7660c42e662 Reviewed-on: https://chromium-review.googlesource.com/c/1400433 Reviewed-by: Kenneth Russell <kbr@chromium.org> Commit-Queue: Matt Falkenhagen <falken@chromium.org> Cr-Commit-Position: refs/heads/master@{#620985} -- wpt-commits: ebe98e2c971c6e33b7fd94264a96bfddd8d7b347 wpt-pr: 14750

new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/2dcontext/drawing-images-to-the-canvas/drawimage_svg_image_with_foreign_object_does_not_taint.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Draw an SVG image with a foreignObject to a canvas</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+function loadImage(url) {
+  return new Promise(resolve => {
+    const image = new window.Image();
+    image.onload = () => {
+      resolve(image);
+    };
+    image.src = url;
+  });
+}
+
+promise_test(async (t) => {
+  // Load a data URL for an SVG image with a foreign object.
+  const url = 'data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100"><foreignObject></foreignObject></svg>';
+  const image = await loadImage(url);
+
+  // Draw the image to a canvas.
+  const canvas = document.createElement('canvas');
+  const context = canvas.getContext('2d');
+  canvas.width = image.width;
+  canvas.height = image.height;
+  context.drawImage(image, 0, 0);
+
+  // The canvas should not be tainted, so the following shouldn't throw.
+  assert_true(canvas.toDataURL().length > 0);
+}, 'Canvas should not be tainted after drawing SVG including <foreignObject>');
+</script>