Bug 1518563 [wpt PR 14750] - canvas: Restore the data: URL special case for tainting., a=testonly
authorMatt Falkenhagen <falken@chromium.org>
Thu, 31 Jan 2019 15:46:15 +0000
changeset 457908 74bc4bd79017220e244bfdd9aa5ef82355c11039
parent 457907 116c44563b93fddd51887895aed54ef04de30932
child 457909 7a9a6b22b7ba554c9be5fa0634e2a2f955492888
push id35518
push useropoprus@mozilla.com
push dateFri, 08 Feb 2019 09:55:14 +0000
treeherdermozilla-central@3a3e393396f4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1518563, 14750, 294129, 1347953, 918460, 1400433, 620985
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1518563 [wpt PR 14750] - canvas: Restore the data: URL special case for tainting., a=testonly Automatic update from web-platform-tests canvas: Restore the data: URL special case for tainting. CanvasRenderingContext::WouldTaintOrigin() had a special case for data URLs that was removed in r610498.[1] The assumption was that just calling CanvasImageSource::WouldTaintOrigin() would return false on data URLs. It turns out that function can return true due to a historical restriction on SVG foreign object nodes, as discussed in bug 294129. This CL reverses that behavior change, so data URLs again don't taint the canvas. It partially reverts r610498 and dependent change r613433. A WPT test is added. Chrome now passes the test despite bug 294129 being open because it has this special case for data URLs on canvas. [1] https://chromium-review.googlesource.com/c/chromium/src/+/1347953 Bug: 294129, 918460 Change-Id: I7c8cb4d37d950693956785c291dfd7660c42e662 Reviewed-on: https://chromium-review.googlesource.com/c/1400433 Reviewed-by: Kenneth Russell <kbr@chromium.org> Commit-Queue: Matt Falkenhagen <falken@chromium.org> Cr-Commit-Position: refs/heads/master@{#620985} -- wpt-commits: ebe98e2c971c6e33b7fd94264a96bfddd8d7b347 wpt-pr: 14750
testing/web-platform/tests/2dcontext/drawing-images-to-the-canvas/drawimage_svg_image_with_foreign_object_does_not_taint.html
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/2dcontext/drawing-images-to-the-canvas/drawimage_svg_image_with_foreign_object_does_not_taint.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Draw an SVG image with a foreignObject to a canvas</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+function loadImage(url) {
+  return new Promise(resolve => {
+    const image = new window.Image();
+    image.onload = () => {
+      resolve(image);
+    };
+    image.src = url;
+  });
+}
+
+promise_test(async (t) => {
+  // Load a data URL for an SVG image with a foreign object.
+  const url = 'data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100"><foreignObject></foreignObject></svg>';
+  const image = await loadImage(url);
+
+  // Draw the image to a canvas.
+  const canvas = document.createElement('canvas');
+  const context = canvas.getContext('2d');
+  canvas.width = image.width;
+  canvas.height = image.height;
+  context.drawImage(image, 0, 0);
+
+  // The canvas should not be tainted, so the following shouldn't throw.
+  assert_true(canvas.toDataURL().length > 0);
+}, 'Canvas should not be tainted after drawing SVG including <foreignObject>');
+</script>