|
Allow SVG images to not taint the canvas with drawImage/drawPattern
This is a merge of http://trac.webkit.org/changeset/153876 by Timothy
Hatcher with a large modification to prevent leaks through embedded
images. In SVGImage::hasSingleSecurityOrigin, this patch checks
that the SVG image does not contain other images. I've reported
this to the WebKit team in wkbug.com/119639
The main idea in this patch is to allow single origin images to be
drawn into a canvas by checking SVGImage::hasSingleSecurityOrigin().
At the moment we are blacklisting <foreignObject>, <image>, and
<feImage>.
A leak of data is possible through SVG's <a> element, and this patch
disables <a> in both HTML and SVG if the content is embedded through
an SVG image (one day, we may white-list <foreignObject>).
BUG= 249037
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=156422
Total comments: 8
Total comments: 2
|
Unified diffs |
Side-by-side diffs |
Delta from patch set |
Stats (+207 lines, -136 lines) |
Patch |
|
M |
LayoutTests/TestExpectations
|
View
|
1
2
3
4
|
1 chunk |
+0 lines, -1 line |
0 comments
|
Download
|
|
D |
LayoutTests/fast/canvas/svg-taint.html
|
View
|
|
1 chunk |
+0 lines, -46 lines |
0 comments
|
Download
|
|
D |
LayoutTests/http/tests/security/canvas-remote-read-data-url-svg-image.html
|
View
|
|
1 chunk |
+0 lines, -40 lines |
0 comments
|
Download
|
|
D |
LayoutTests/http/tests/security/canvas-remote-read-svg-image.html
|
View
|
|
1 chunk |
+0 lines, -33 lines |
0 comments
|
Download
|
|
A |
LayoutTests/svg/as-image/resources/link.svg
|
View
|
1
2
3
|
1 chunk |
+8 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/svg/as-image/resources/link-xhtml.svg
|
View
|
1
2
3
|
1 chunk |
+8 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/svg/as-image/resources/svg-with-image-with-link.svg
|
View
|
1
2
3
|
1 chunk |
+7 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/svg/as-image/svg-canvas-link-not-colored.html
|
View
|
1
2
3
|
1 chunk |
+39 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/svg/as-image/svg-canvas-link-not-colored-expected.txt
|
View
|
|
1 chunk |
+7 lines, -0 lines |
0 comments
|
Download
|
|
A + |
LayoutTests/svg/as-image/svg-canvas-not-tainted.html
|
View
|
1
2
3
|
2 chunks |
+7 lines, -6 lines |
0 comments
|
Download
|
|
A |
LayoutTests/svg/as-image/svg-canvas-not-tainted-expected.txt
|
View
|
|
1 chunk |
+2 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/svg/as-image/svg-canvas-svg-with-image-with-link-tainted.html
|
View
|
1
2
3
|
1 chunk |
+31 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/svg/as-image/svg-canvas-svg-with-image-with-link-tainted-expected.txt
|
View
|
1
2
3
|
1 chunk |
+2 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/svg/as-image/svg-canvas-xhtml-tainted.html
|
View
|
1
2
3
|
1 chunk |
+31 lines, -0 lines |
0 comments
|
Download
|
|
A |
LayoutTests/svg/as-image/svg-canvas-xhtml-tainted-expected.txt
|
View
|
1
2
3
|
1 chunk |
+2 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/dom/Node.h
|
View
|
1
|
1 chunk |
+1 line, -3 lines |
0 comments
|
Download
|
|
M |
Source/core/dom/Node.cpp
|
View
|
1
2
|
3 chunks |
+7 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/html/HTMLAnchorElement.cpp
|
View
|
1
2
3
4
|
1 chunk |
+1 line, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/html/HTMLImageElement.cpp
|
View
|
1
2
|
1 chunk |
+1 line, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/rendering/svg/RenderSVGRoot.cpp
|
View
|
1
2
3
4
|
2 chunks |
+2 lines, -7 lines |
0 comments
|
Download
|
|
M |
Source/core/svg/graphics/SVGImage.h
|
View
|
|
2 chunks |
+5 lines, -0 lines |
0 comments
|
Download
|
|
M |
Source/core/svg/graphics/SVGImage.cpp
|
View
|
1
2
3
4
|
3 chunks |
+46 lines, -0 lines |
0 comments
|
Download
|
Total messages: 19 (0 generated)
|