Closed
Bug 604496
Opened 14 years ago
Closed 9 years ago
Security Error with toDataURL on a canvas with drawImage on a video loaded from a data URL
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
People
(Reporter: antimatter15, Assigned: bzbarsky)
References
()
Details
Attachments
(2 files)
21.17 KB,
text/html
|
Details | |
4.79 KB,
patch
|
cpearce
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/7.0.544.0 Safari/534.10 Build Identifier: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0b6) Gecko/20100101 Firefox/4.0b6 I'm working on a javascript WebP -> WebM conversion library and for a multitude of reasons, it would be nice to convert the video back into an image through canvas, but firefox always gives a security exception after calling toDataURL. I think it's something like the cross-origin image loading issues with canvas, but I don't believe data urls count as a different domain. Chrome allows this behavior and I believe Opera too. Reproducible: Always Steps to Reproduce: 1. Have a <video> tag that has a src set to a data: url 2. drawImage(video) to the canvas 3. call toDataURL('image/png') or getImageData() and observe exception Actual Results: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "file:///home/antimatter15/testcase.html Line: 1"] Expected Results: A long data url
Reporter | ||
Comment 1•14 years ago
|
||
Assignee | ||
Comment 2•14 years ago
|
||
> but I don't believe data urls count as a different domain
They do, in general; unless otherwise special-cased. <video> doesn't thus special-case them.
Status: UNCONFIRMED → NEW
Component: Canvas: 2D → Video/Audio
Ever confirmed: true
QA Contact: canvas.2d → video.audio
Assignee | ||
Comment 3•14 years ago
|
||
In particular, the HTML5 spec for origins is very clear, and data:something is a different origin from http:// anything because the schemes are different. So a behavior change here would need a spec change too.
Reporter | ||
Comment 4•14 years ago
|
||
Interesting. From http://dev.w3.org/html5/spec/Overview.html#same-origin If a Document or image was generated from a data: URL found in another Document or in a script The origin is the origin of the Document or script that initiated the navigation to that URL. I'm not exactly sure what that means, but it seems to me that this means (in this case) the origin should be the same.
Assignee | ||
Comment 5•14 years ago
|
||
That only applies to documents and images, though.... We apply it to documents but not yet to images. And the spec language doesn't apply to <video>. Now maybe what's needed here is a spec change, of course.
Comment 7•13 years ago
|
||
I'm trying to stream live video and do some pixel manipulation for video canvas. Video feed comes from localhost (it has domain name, pointing to 127.0.0.1) and HTML part from internet. That makes getImageData() fail. There should be config option to disable security checking for videos and other media files.
Assignee | ||
Comment 8•13 years ago
|
||
Lari, that's completely unrelated to this bug. Can you please raise a spec issue on adding something like the 'crossorigin' attribute to video elements?
Assignee | ||
Comment 9•9 years ago
|
||
Looks like the spec here has changed so now data: videos are supposed to inherit the origin. Specifically, the origin of "audio and video elements" is defined as: If the media data is CORS-same-origin The origin is an alias to the origin of the media element's node document. and under https://html.spec.whatwg.org/multipage/infrastructure.html#cors-enabled-fetch all data: loads are treated as CORS-same-origin.
Assignee | ||
Comment 10•9 years ago
|
||
This fixes the testcase in this bug, but I'm pretty sure that only hits the HTMLMediaElement codepath. I'd really appreciate help with writing tests for this that cover all three codepaths...
Attachment #8549865 -
Flags: review?(cpearce)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Updated•9 years ago
|
Attachment #8549865 -
Flags: review?(cpearce) → review+
Assignee | ||
Comment 11•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/624049a9b1aa
Flags: in-testsuite?
Target Milestone: --- → mozilla38
Comment 12•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/624049a9b1aa
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Depends on: 1130893
Comment 14•9 years ago
|
||
Confirmed: this fixes the bug 1147884
You need to log in
before you can comment on or make changes to this bug.
Description
•