Closed Bug 944958 Opened 11 years ago Closed 11 years ago

Break Canvas SOP

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
25 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: akapad, Unassigned)

Details

Attachments

(1 file)

index.html
1.53 KB, text/html
Details
Attached file index.html
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1724.0 Safari/537.36 Steps to reproduce: 1. Use an XHR to get an image from a CORS enabled server (e.g. Facebook CDN) 2. Create an object URL from the blob returned by the XHR 3. Initialize an Image object with the blob URL as the source 4. Draw image to canvas 5. Get image data from canvas Actual results: No security error was triggered! Using the Blob and URL constructors, the image data of the canvas is accessed, breaking the single origin policy. This vulnerability could result in private images being transferred to a third party. Expected results: A security error should be thrown to prevent the cross origin image data from being accessed.
Component: Untriaged → DOM
Product: Firefox → Core
But if it's a CORS-enabled server can't you just load the image into the canvas directly and read it? I thought that's what CORS was for?
Or read the data from the returned XHR response...
Hi, I filed this bug on Chromium and Webkit, and it has been pointed out that bypassing the single origin policy in this manner is not a security concern. By requesting an image from a CORS enabled server, the client already has byte-level information, data that would is no different than requesting pixel information from the canvas. If anything, this demonstrates a way to bypass canvas SOP when requesting from a third party server that you are able to configure.
@Daniel yes, you're correct.
> 1. Use an XHR to get an image from a CORS enabled server (e.g. Facebook CDN) The whole premise of this step is that the page has access to the data? I mean, the CORS policy said so. In particular, at this stage you have access to the responseText and hence to the image data. So what's the security issue?
> If anything, this demonstrates a way to bypass canvas SOP The policy canvas enforces is that if you paint any data you don't already have access to into the canvas you then can't read it back. In this case you had access to the data to start with, so there is no reason to prevent reading it back!
"it rather involved being on the other side of the airtight hatchway."
The "canvas SOP" actually takes CORS into account. E.g. <img crossorigin src={cors-enabled-facebook-image}> can be drawn to a <canvas> and read from per the HTML standard. INVALID per comment 4.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: