Closed
Bug 1294306
Opened 8 years ago
Closed 7 years ago
SecurityError when calling toDataURL()
Categories
(Core :: Graphics: Canvas2D, defect, P3)
Core
Graphics: Canvas2D
Tracking
()
RESOLVED
FIXED
People
(Reporter: tsmith, Assigned: mstange)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [gfx-noted])
Attachments
(2 files)
While fuzzing I continued to hit "SecurityError: The operation is insecure." when calling the canvas' toDataURL method and I wasn't exactly sure what was happening. I have attached two cleaned up test cases from my fuzzer. One that works as I would expect and one that raises SecurityError. The test case that errors I have narrowed the issue down to two operations. So this may not be an issue but this does seems strange. Thought?
Reporter | ||
Comment 1•8 years ago
|
||
Comment 2•8 years ago
|
||
From the view of spec[1], the toDataURL(), toBlob(), and getImageData() methods check the flag and will throw a "SecurityError" DOMException rather than leak cross-origin data. [1]: https://html.spec.whatwg.org/multipage/scripting.html#a-serialisation-of-the-bitmap-as-a-file I think the error happens since we had operation like [2] in program. [2]: ctx.filter='invert(1%)'; Once filter() was called, it sets to write-only[3] mode for canvas. After that, calling ToDataURL() will hit writeonly check and throw out security error[4]. [3]: https://dxr.mozilla.org/mozilla-central/source/dom/canvas/CanvasRenderingContext2D.cpp#444 [4]: https://dxr.mozilla.org/mozilla-central/source/dom/html/HTMLCanvasElement.cpp#629 I think this error should be reasonable because calling toDataURL() shouldn't be in write-only mode. I will close this bug. Re-open it if I got anything wrong.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Comment 3•8 years ago
|
||
(In reply to Vincent Liu[:vliu] from comment #2) > From the view of spec[1], the toDataURL(), toBlob(), and getImageData() > methods check the flag and will throw a "SecurityError" DOMException rather > than leak cross-origin data. Makes sense. > I think the error happens since we had operation like [2] in program. > > [2]: ctx.filter='invert(1%)'; > > Once filter() was called, it sets to write-only[3] mode for canvas. After > that, calling ToDataURL() will hit writeonly check and throw out security > error[4]. This is not a cross-origin filter. Why is it marked tainted? The testcase seems like something you could reasonably expect to work without triggering a CSP exception.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Updated•8 years ago
|
Whiteboard: [gfx-noted]
I believe this is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1307740 which has been fixed for FF52+
Updated•7 years ago
|
Priority: -- → P3
Comment 5•7 years ago
|
||
Agreed with comment 4. This reproduces with Fx50 but went away in Fx51 (which bug 1307740 was backported to).
Assignee: nobody → mstange
Status: REOPENED → RESOLVED
Closed: 8 years ago → 7 years ago
status-firefox-esr52:
--- → fixed
Depends on: 1307740
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•