Canvas API should consider cross-origin redirects same-origin -> cross-origin -> same-origin
Categories
(Core :: DOM: Security, task, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox69 | --- | fixed |
People
(Reporter: baku, Assigned: baku)
Details
(Whiteboard: [domsecurity-active])
Attachments
(4 files)
Bug 1554847 - Improve cross-origin checks in canvas API - imgIRequest.hadCrossOriginRedirects, r?jya
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review |
Currently we check the final principal only in order to check if operations are in write-only mode, and we don't consider intermediate redirects to cross-origin domains [1]. There are actually a few WPT to check this and we fail them all [2] [3]
[1] https://searchfox.org/mozilla-central/rev/aba472751e24763d0c18bae8408e9d7106e9acea/dom/canvas/CanvasUtils.cpp#294-311
[2] https://searchfox.org/mozilla-central/rev/ddb81c7a43ffada1f6cb4200c4f625e50e44dcf3/testing/web-platform/meta/2dcontext/imagebitmap/createImageBitmap-origin.sub.html.ini
[3] https://searchfox.org/mozilla-central/rev/ddb81c7a43ffada1f6cb4200c4f625e50e44dcf3/testing/web-platform/meta/html/semantics/embedded-content/the-canvas-element/security.pattern.fillStyle.sub.html.ini
Assignee | ||
Comment 1•6 years ago
|
||
Assignee | ||
Comment 2•6 years ago
|
||
Depends on D32791
Assignee | ||
Comment 3•6 years ago
|
||
Depends on D32792
Assignee | ||
Comment 4•6 years ago
|
||
Depends on D32793
Updated•6 years ago
|
Comment 5•6 years ago
|
||
Comment 7•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/946e4d9420dd
https://hg.mozilla.org/mozilla-central/rev/3ff9a221f3e5
https://hg.mozilla.org/mozilla-central/rev/101bd1c2d688
https://hg.mozilla.org/mozilla-central/rev/17e36d139ac2
Comment 8•6 years ago
|
||
Backed out 4 changesets (bug 1554847) for wpt failures at /service-workers/service-worker/fetch-canvas-tainting-video-cache.https.html
Backout: https://hg.mozilla.org/integration/autoland/rev/06d609bdcac65efea169a092144a8dfc85b3dc01
Failure push: https://treeherder.mozilla.org/#/jobs?repo=autoland&selectedJob=249680898&revision=17e36d139ac227f457e8aaf4af6297d0fe5df712
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=249680898&repo=autoland&lineNumber=95341
12:20:00 INFO - TEST-PASS | /service-workers/service-worker/fetch-canvas-tainting-video-cache.https.html | url "https://web-platform.test:8443/service-workers/service-worker/resources/fetch-access-control.py?VIDEO&cache=true&mode=same-origin&url=https%3A%2F%2Fweb-platform.test%3A8443%2Fservice-workers%2Fservice-worker%2Fresources%2Ffetch-access-control.py%3FVIDEO%26cache%3Dtrue" with crossOrigin "use-credentials" should be NOT_TAINTED
12:20:00 INFO - TEST-UNEXPECTED-FAIL | /service-workers/service-worker/fetch-canvas-tainting-video-cache.https.html | url "https://www1.web-platform.test:8443/service-workers/service-worker/resources/fetch-access-control.py?VIDEO&cache=true&mode=same-origin&url=https%3A%2F%2Fweb-platform.test%3A8443%2Fservice-workers%2Fservice-worker%2Fresources%2Ffetch-access-control.py%3FVIDEO%26cache%3Dtrue" with crossOrigin "" should be NOT_TAINTED - assert_equals: expected "NOT_TAINTED" but got "TAINTED"
12:20:00 INFO - canvas_taint_test/</<@https://web-platform.test:8443/service-workers/service-worker/resources/fetch-canvas-tainting-tests.js:13:11
12:20:00 INFO - promise callbackcanvas_taint_test/<@https://web-platform.test:8443/service-workers/service-worker/resources/fetch-canvas-tainting-tests.js:12:10
12:20:00 INFO - Test.prototype.step@https://web-platform.test:8443/resources/testharness.js:1587:25
12:20:00 INFO - promise_test/tests.promise_tests</<@https://web-platform.test:8443/resources/testharness.js:591:36
12:20:00 INFO - promise_test/tests.promise_tests<@https://web-platform.test:8443/resources/testharness.js:590:20
12:20:00 INFO - promise callbackpromise_test@https://web-platform.test:8443/resources/testharness.js:589:51
12:20:00 INFO - canvas_taint_test@https://web-platform.test:8443/service-workers/service-worker/resources/fetch-canvas-tainting-tests.js:10:3
12:20:00 INFO - do_canvas_tainting_tests@https://web-platform.test:8443/service-workers/service-worker/resources/fetch-canvas-tainting-tests.js:124:3
12:20:00 INFO - @https://web-platform.test:8443/service-workers/service-worker/fetch-canvas-tainting-video-cache.https.html:12:1
12:20:00 INFO - ...................
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 9•6 years ago
|
||
I relanded the patches. Should we reopen the bug in the meantime?
![]() |
||
Updated•6 years ago
|
![]() |
||
Comment 10•6 years ago
|
||
Comment 11•6 years ago
|
||
Comment 12•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c5b6b70112e1
https://hg.mozilla.org/mozilla-central/rev/6c1abc27fd5d
https://hg.mozilla.org/mozilla-central/rev/8b04a3843b26
https://hg.mozilla.org/mozilla-central/rev/911c01e80761
Comment 13•5 years ago
|
||
I suspect this bug to be related to the webcompat regression I discovered here: https://webcompat.com/issues/40371
Description
•