Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

favicon.js fails with cross origin href due to lacking required attribute (security) #14742

Closed
avoidwork opened this issue Jul 14, 2018 · 2 comments
Closed

favicon.js fails with cross origin href due to lacking required attribute (security) #14742

avoidwork opened this issue Jul 14, 2018 · 2 comments
Assignees
@Slava
Labels
misc/favicon QA/checked-Linux QA/checked-macOS QA/checked-Win64 QA/test-plan-specified release-notes/include
Milestone
0.23.x Release 4 ...

Comments

@avoidwork
Copy link

avoidwork commented Jul 14, 2018
edited by bsclifton

Description

The favicon loaded on https://guided.adobe.com used to work, but now it errors with a canvas DOM security error due to the favicon.js lacking the crossOrigin attribute to allow access.

Test plan / Steps to Reproduce

  1. Visit https://guided.adobe.com, an uncaught error will happen & the application will halt suggesting using Brave & other browsers (this is a regression between March '18 & now).

Actual result:
resolve(canvas.toDataURL('image/png')) fails with a DOM error

VM447:1 Uncaught DOMException: Failed to execute 'toDataURL' on 'HTMLCanvasElement': Tainted canvases may not be exported.
    at eval (eval at img.onload (chrome-extension://mnojpmjdmbbfmejpflffifhffcmidifd/content/scripts/favicon.js:13:7), <anonymous>:1:8)
    at Image.img.onload (chrome-extension://mnojpmjdmbbfmejpflffifhffcmidifd/content/scripts/favicon.js:13:7)
(anonymous) @ VM447:1
img.onload @ favicon.js:13
load (async)
Promise @ favicon.js:7
getBase64FromImageUrl @ favicon.js:2
(anonymous) @ favicon.js:25

Expected result:
resolve(canvas.toDataURL('image/png')) succeeds

Reproduces how often:
100%

Brave Version

about:brave info:

Brave: 0.23.31
V8: 6.7.288.46
rev: 3148ace
Muon: 7.1.5
OS Release: 10.0.17134
Update Channel: Release
OS Architecture: x64
OS Platform: Microsoft Windows
Node.js: 7.9.0
Brave Sync: v1.4.2
libchromiumcontent: 67.0.3396.103

Reproducible on current live release:
Yes

Additional Information

This error did not exist when I made guided.adobe.com public in March'18.
@avoidwork avoidwork changed the title favicon.js fails with cross origin href due to canvas lacking required attribute (security) favicon.js fails with cross origin href due to lacking required attribute (security) Jul 14, 2018
@avoidwork
Copy link
Author

Hi,

This apparently also affects some government sites in canada, such as https://www.projectbiglife.ca/

Considering you could put a try/catch around the toDataUrl(), or use the promise chain properly to catch the error, could I submit a PR with one of these approaches? I don't think this issue needs to be over thought, the core problem is your code generates an error and doesn't handle it.

@bbondy bbondy added this to the 0.23.x Release 5 milestone Jul 23, 2018
Slava added a commit to Slava/browser-laptop that referenced this issue Jul 23, 2018
@Slava
Allow favicon fetching code to fetch CORS-enabled images without tain…
939811f 
…ing the canvas

Fixes brave#14742
@Slava Slava mentioned this issue Jul 23, 2018
Merged
10 tasks
This was referenced Jul 25, 2018
Closed
Closed
Closed
@LaurenWags
Copy link
Member

LaurenWags commented Jul 25, 2018
edited by GeetaSarvadnya

Verified with macOS 10.12.6 using

  • 0.23.72 c3b1cac
  • Muon 8.0.2
  • libchromiumcontent 68.0.3440.75

Verified on Ubuntu 17.10 x64

  • 0.23.72 c3b1cac
  • Muon 8.0.2
  • libchromiumcontent 68.0.3440.75

Verified on Windows x64 with
• 0.23.73 50bdb6d
• Muon 8.0.3
• libchromiumcontent 68.0.3440.75

@kjozwiak kjozwiak mentioned this issue Jul 27, 2018
Closed
@kjozwiak kjozwiak mentioned this issue Jul 31, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Slava Slava

Labels
misc/favicon QA/checked-Linux QA/checked-macOS QA/checked-Win64 QA/test-plan-specified release-notes/include
Projects
None yet
Milestone
0.23.x Release 4 w/ Chromium 68 (Rele...
Development

No branches or pull requests
7 participants
@avoidwork @bbondy @Slava @bsclifton @LaurenWags @btlechowski @GeetaSarvadnya