Closed Bug 451938 Opened 13 years ago Closed 13 years ago
stealing frames from <video> via canvas
it is possible to steal frames from arbitrary videos that the luser can load via canvas + drawImage or fillRect as of now works directly - no need for http redirects
Component: General → Video/Audio
Product: Firefox → Core
Component: Video/Audio → Layout: Canvas
this seems to works with "file:///" uris, basically allowing stealing homemade pron with known filename
<video> being able to refer to file:/// URLs might be a separate bug.
> <video> being able to refer to file:/// URLs might be a separate bug. sure, it allows checking for existence of local files. soon to file a new bug + testcase
checking for file existence via <video> is Bug 451958
Indeed, the wrong principal is being used here -- http://hg.mozilla.org/mozilla-central/index.cgi/file/tip/content/canvas/src/nsCanvasRenderingContext2D.cpp#l2826 . How do I get the principal of the actual video stream, e.g. what happens at http://hg.mozilla.org/mozilla-central/index.cgi/file/tip/content/canvas/src/nsCanvasRenderingContext2D.cpp#l2854 ?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
You can get the actual URI of the video being played (ie. the one that was selected from the multiple sources to play) with GetCurrentSrc on the media element.
I don't want the URI though, I want the principal -- or can I turn that URI into a principal?
Here's a fix -- this passes the principal down the chain so that canvas can get at it.
13 years ago
Attachment #336699 - Flags: superreview? → superreview?(bzbarsky)
Comment on attachment 336699 [details] [diff] [review] pass the principal down the relay line... I wish -p -U 8 worked for these diffs.... >+++ b/content/canvas/src/nsCanvasRenderingContext2D.cpp >@@ -2823,7 +2823,8 @@ >+ video->GetCurrentPrincipal(prinOut); >+ So... right now now callers of this method assume the principal is never null. In particular, DoDrawImageSecurityCheck certainly does. Your newly added code looks like it might return null sometimes. So we either need to add null-checks in various places or make ThebesSurfaceFromElement throw on a null principal. The latter is probably better. The rest looks fine, though I'd just have the methods return nsIPrincipal* instead of doing the COM-like dance.
Updated; note that this depends on bug 417836 which I'll land shortly. I changed the interface to just return a nsIPrincipal*, and explicitly check for null (and throw an error in that case).
Comment on attachment 336933 [details] [diff] [review] updated >+++ b/content/canvas/src/nsCanvasRenderingContext2D.cpp >+ *prinOut = principal.forget().get(); principal.forget(prinOut); r+sr=bzbarsky with that.
Fix checked in: 18910[tip] ad53051ebd43 2008-09-06 16:47 -0700 vladimir b=451938; ensure correct principal is used in case of <video> and drawImage; r=bz
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
seems fixed on trunk according to my tests. tried fillRect and http redirects - both seem fixed
do some svg filters or similar stuff alter images so they can be stolen? some tests with filter feImage show the image yet when drawn to canvas the original image is drawn, i.e. no theft.
You need to log in before you can comment on or make changes to this bug.