Selecting a Hubs avatar throws a Security error

[jdm]

This comes from

servo/components/script/dom/webglrenderingcontext.rs

Line 647 in 26b5f09

return Err(Error::Security);

.

[jdm]

I suspect that TexImage2D is being too strict - I believe it's acceptable to use CORS-unsafe image data as texture data, but we should taint the 3d canvas in that case and prevent readback from it.

[jdm]

Nevermind, that was incorrect: https://www.khronos.org/registry/webgl/specs/latest/1.0/#4.2

[jdm]

Firefox request headers:

{"Request Headers (475 B)":{"headers":[{"name":"Accept","value":"*/*"},{"name":"Accept-Encoding","value":"gzip, deflate, br"},{"name":"Accept-Language","value":"en-US,en;q=0.5"},{"name":"Connection","value":"keep-alive"},{"name":"Host","value":"uploads-prod.reticulum.io"},{"name":"Origin","value":"https://hubs.mozilla.com"},{"name":"Referer","value":"https://hubs.mozilla.com/mB8Wn7L/talkative-simplistic-sphere"},{"name":"Sec-Fetch-Dest","value":"empty"},{"name":"Sec-Fetch-Mode","value":"cors"},{"name":"Sec-Fetch-Site","value":"cross-site"},{"name":"User-Agent","value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0"}]}}

Response headers:

{"Response Headers (4.235 KB)":{"headers":[{"name":"accept-ranges","value":"bytes"},{"name":"access-control-allow-credentials","value":"true"},{"name":"access-control-allow-origin","value":"https://hubs.mozilla.com"},{"name":"access-control-expose-headers","value":""},{"name":"cache-control","value":"public, max-age=31536000"},{"name":"content-length","value":"3496"},{"name":"content-security-policy","value":"default-src 'none'; manifest-src  'self'; script-src 'sha256-1bG69cjuJlQcoR2gPgfr+YdOzfYOv5vthSG0IUK6ANc=' https://buttons.github.io https://sentry.prod.mozaws.net https://assets-prod.reticulum.io https://smoke-assets-prod.reticulum.io https://asset-bundles-prod.reticulum.io https://smoke-asset-bundles-prod.reticulum.io https://cdn.rawgit.com https://uploads-prod.reticulum.io  'self' 'unsafe-eval' 'sha256-ViVvpb0oYlPAp7R8ZLxlNI6rsf7E7oz8l1SgCIXgMvM=' 'sha256-hsbRcgUBASABDq7qVGVTpbnWq/ns7B+ToTctZFJXYi8=' 'sha256-MIpWPgYj31kCgSUFc0UwHGQrV87W6N5ozotqfxxQG0w=' 'sha256-buF6N8Z4p2PuaaeRUjm7mxBpPNf4XlCT9Fep83YabbM=' 'sha256-/S6PM16MxkmUT7zJN2lkEKFgvXR7yL4Z8PCrRrFu4Q8=' https://www.google-analytics.com https://uploads-prod.reticulum.io  https://aframe.io https://www.youtube.com https://s.ytimg.com; child-src  'self' blob:; worker-src https://assets-prod.reticulum.io https://smoke-assets-prod.reticulum.io https://uploads-prod.reticulum.io  'self' blob:; font-src https://assets-prod.reticulum.io https://smoke-assets-prod.reticulum.io https://asset-bundles-prod.reticulum.io https://smoke-asset-bundles-prod.reticulum.io https://hubs-proxy.com 'self' https://fonts.googleapis.com https://cdn.jsdelivr.net https://fonts.gstatic.com https://cdn.aframe.io https://uploads-prod.reticulum.io  https://cors-proxy-prod.reticulum.io:443; style-src https://cdnjs.cloudflare.com https://assets-prod.reticulum.io https://smoke-assets-prod.reticulum.io https://asset-bundles-prod.reticulum.io https://smoke-asset-bundles-prod.reticulum.io https://hubs-proxy.com 'self' https://fonts.googleapis.com https://cdn.jsdelivr.net https://cors-proxy-prod.reticulum.io:443 https://uploads-prod.reticulum.io  'unsafe-inline'; connect-src https://hubs.link https://hub.link https://sentry.prod.mozaws.net https://assets-prod.reticulum.io https://uploads-prod.reticulum.io https://smoke-assets-prod.reticulum.io https://asset-bundles-prod.reticulum.io https://smoke-asset-bundles-prod.reticulum.io https://hubs-proxy.com wss://hubs.mozilla.com wss://smoke-hubs.mozilla.com https://www.mozilla.org https://hubs.local:3000 'self' https://cors-proxy-prod.reticulum.io:443 https://uploads-prod.reticulum.io   https://dpdb.webvr.rocks https://nearspark-prod.reticulum.io:443 https://*.reticulum.io:443 wss://*.reticulum.io:443 wss://*.reticulum.io:443 https://*.reticulum.io:443 wss://:443 https://:443 https://cdn.aframe.io https://www.youtube.com https://api.github.com data: blob:; img-src https://assets-prod.reticulum.io https://smoke-assets-prod.reticulum.io https://asset-bundles-prod.reticulum.io https://smoke-asset-bundles-prod.reticulum.io https://nearspark.reticulum.io https://hubs-proxy.com 'self' https://www.google-analytics.com https://uploads-prod.reticulum.io  https://cors-proxy-prod.reticulum.io:443 https://nearspark-prod.reticulum.io:443 https://cdn.aframe.io https://www.youtube.com https://user-images.githubusercontent.com https://cdn.jsdelivr.net data: blob:; media-src https://assets-prod.reticulum.io https://smoke-assets-prod.reticulum.io https://asset-bundles-prod.reticulum.io https://smoke-asset-bundles-prod.reticulum.io https://hubs-proxy.com https://nearspark.reticulum.io 'self' https://cors-proxy-prod.reticulum.io:443 https://uploads-prod.reticulum.io  https://nearspark-prod.reticulum.io:443 https://www.youtube.com *.googlevideo.com data: blob:; frame-src  https://www.youtube.com https://docs.google.com https://player.vimeo.com 'self'; base-uri 'none'; form-action  'self';"},{"name":"content-type","value":"image/png"},{"name":"cross-origin-window-policy","value":"deny"},{"name":"date","value":"Tue, 07 Jul 2020 19:58:51 GMT"},{"name":"server","value":"Cowboy"},{"name":"strict-transport-security","value":"max-age=31536000"},{"name":"vary","value":"Origin"},{"name":"via","value":"1.1 52f00b3c99e61952d33c0a62d6b89f80.cloudfront.net (CloudFront)"},{"name":"x-amz-cf-id","value":"bYORdMabhUUJhVEO7LhsZ7SdVq6K_JVSvZJ-p4dkg8pmvQQBM388qA=="},{"name":"x-amz-cf-pop","value":"YUL62-C1"},{"name":"x-cache","value":"Miss from cloudfront"},{"name":"x-content-type-options","value":"nosniff"},{"name":"x-download-options","value":"noopen"},{"name":"X-Firefox-Spdy","value":"h2"},{"name":"x-frame-options","value":"SAMEORIGIN"},{"name":"x-permitted-cross-domain-policies","value":"none"},{"name":"x-request-id","value":"Fh-QvDy96mtDqCQBK6HB"},{"name":"x-xss-protection","value":"1; mode=block"}]}}

[jdm]

The problem appears to ultimate come from this code. Every indication in my testing shows that the texture loader should be passing "anonymous" there, but there somehow appears to be an instance of that loader that does not have setCrossOrigin called on it but still ends up with an undefined this.crossOrigin.

[jdm]

In particular, debugging code has verified that for the images that are failing to load, this.crossOrigin is different than HubsTextureLoader.crossOrigin, despite the property being declared as static. I think the next step is to figure out if this is:

• a spidermonkey bug
• a transpiling bug
• something else?

The transpiling bug is a possibility given the code in question when running the site through unminify-js:

        o = "anonymous", (s = "crossOrigin") in (r = a) ? Object.defineProperty(r, s, {
            value: o,
            enumerable: !0,
            configurable: !0,
            writable: !0
        }) : r[s] = o

[jdm]

Ok, so more and more curious - the exact same behaviour occurs in Firefox (undefined vs. anonymous for this vs. HubsTextureLoader), but the effect is not a security error.

Edit: the network monitor shows a Sec-Fetch-Mode: cors request header, which indicates that the request was made with CORS enabled, rather than NoCors mode, which explains why there's no security error.

[jdm]

Aha! I can reproduce the same problem in Firefox by forcing HubsTextureLoader to use the ImageLoader instead of ImageBitmapLoader. The difference with the latter is that it uses the fetch() API instead of creating an image element. The reason this makes a difference is step 6 in https://fetch.spec.whatwg.org/#request-class, which parses a string URL and sets the fallbackMode to "cors" instead of the default "no-cors".

I believe we can now file an issue on Hubs about a transpiling error that breaks any browser that doesn't expose createImageBitmap, since the same error occurs in Blink as well.

[jdm]

Filed mozilla/hubs#2616.

[jdm]

This has been fixed upstream.