Bug 567511. Don't consider document.domain when deciding whether to taint a canvas. r=roc
authorBoris Zbarsky <bzbarsky@mit.edu>
Wed, 29 Aug 2012 01:14:47 -0400
changeset 105772 9e3f2ec9e8f7c98b6c324ad5d2440bff23aeac47
parent 105771 747584155b62aaf0c2a9919104c730df29fe63d1
child 105773 2f34d5cff8a036bd3ed23731720e6e6e5601c6aa
push id55
push usershu@rfrn.org
push dateThu, 30 Aug 2012 01:33:09 +0000
reviewersroc
bugs567511
milestone18.0a1
Bug 567511. Don't consider document.domain when deciding whether to taint a canvas. r=roc
content/canvas/src/CanvasUtils.cpp
content/canvas/test/Makefile.in
content/canvas/test/file_drawImage_document_domain.html
content/canvas/test/test_drawImage_document_domain.html
--- a/content/canvas/src/CanvasUtils.cpp
+++ b/content/canvas/src/CanvasUtils.cpp
@@ -49,19 +49,21 @@ DoDrawImageSecurityCheck(nsHTMLCanvasEle
         aCanvasElement->SetWriteOnly();
         return;
     }
 
     // No need to do a security check if the image used CORS for the load
     if (CORSUsed)
         return;
 
+    // Ignore document.domain in this check.
     bool subsumes;
     nsresult rv =
-        aCanvasElement->NodePrincipal()->Subsumes(aPrincipal, &subsumes);
+        aCanvasElement->NodePrincipal()->SubsumesIgnoringDomain(aPrincipal,
+                                                                &subsumes);
 
     if (NS_SUCCEEDED(rv) && subsumes) {
         // This canvas has access to that image anyway
         return;
     }
 
     aCanvasElement->SetWriteOnly();
 }
--- a/content/canvas/test/Makefile.in
+++ b/content/canvas/test/Makefile.in
@@ -52,16 +52,18 @@ MOCHITEST_FILES = \
 	test_toDataURL_lowercase_ascii.html \
 	test_toDataURL_parameters.html \
 	test_mozGetAsFile.html \
 	test_canvas_strokeStyle_getter.html \
 	test_bug613794.html \
 	test_bug753758.html \
 	test_bug764125.html \
 	test_drawImage_edge_cases.html \
+	test_drawImage_document_domain.html \
+	file_drawImage_document_domain.html \
 	$(NULL)
 
 ifneq (1_Linux,$(MOZ_SUITE)_$(OS_ARCH))
 # This test fails in Suite on Linux for some reason, disable it there
 MOCHITEST_FILES += test_2d.composite.uncovered.image.destination-atop.html
 endif
 
 # xor and lighter aren't well handled by cairo; they mostly work, but we don't want
new file mode 100644
--- /dev/null
+++ b/content/canvas/test/file_drawImage_document_domain.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+  <canvas id="c" width="1" height="1"></canvas>
+  <img id="img" src="image_green-1x1.png">
+<script>
+  window.onmessage = function(ev) {
+    if (ev.data != "start") {
+      parent.postMessage({ msg: "unknown_message", data: ev.data }, "*");
+      return;
+    }
+
+    // Set document.domain to itself, so we trigger the
+    // "set effective script origin" cases.
+    document.domain = document.domain
+    var ctx = document.getElementById("c").getContext("2d");
+    ctx.drawImage(document.getElementById("img"), 0, 0);
+    try {
+      var data = ctx.getImageData(0, 0, 1, 1).data;
+      parent.postMessage(
+        {
+          msg: "color",
+          data: "rgba(" + data[0] + ", " + data[1] + ", " + data[2] + ", " + data[3]/255 + ")"
+        },
+        "*");
+    } catch (e) {
+      parent.postMessage({ msg: "exception", data: e.toString() }, "*");
+    }
+
+    parent.postMessage({ msg: "done" }, "*");
+  }
+</script>
new file mode 100644
--- /dev/null
+++ b/content/canvas/test/test_drawImage_document_domain.html
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=567511
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 567511</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=567511">Mozilla Bug 567511</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  <iframe src="file_drawImage_document_domain.html"></iframe>
+</div>
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 567511 **/
+
+SimpleTest.waitForExplicitFinish();
+
+window.onmessage = function(ev) {
+  if (ev.data.msg == "done") {
+    SimpleTest.finish();
+  } else if (ev.data.msg == "exception") {
+    ok(false, ev.data.data);
+  } else if (ev.data.msg == "color") {
+    is(ev.data.data, "rgba(0, 255, 0, 1)", "Should get correct color");
+  } else if (ev.data.msg == "unknown_message") {
+    ok(false, "Unknown message to child: " + ev.data.data);
+  } else {
+    ok(false, "Unknown message from child: " + ev.data.msg);
+  }
+}
+
+function doTest() {
+  frames[0].postMessage("start", "*");
+}
+
+addLoadEvent(doTest);
+
+</script>
+</pre>
+</body>
+</html>