Change ImageBitmap content security policy to use 'origin-clean' #385
Conversation
junov
changed the title
|
This will be extremely useful. One question: for createImageBitmap taking Blob, the Blob couldn't have been fetched if it wasn't effectively same-origin with the document, correct? So ImageBitmaps created from Blobs will always be origin-clean? |
|
Hmm I think this needs @mikewest and @bzbarsky as reviewers at least. Haven't done a review but one nit is the commit message: https://github.com/erlang/otp/wiki/Writing-good-commit-messages |
|
I think this would be applied to HTMLImageElement and HTMLVideoElement only. |
|
I haven't thought through the ImageBitmap bits very much so far. You may want to check with Robert O'Callahan on the mailing list; I'm not sure he has a github account. |
|
@rocallahan, thoughts? |
|
This is probably the right thing to do. It enables usage of cross-origin images for some use-cases at the expense of making all ImageBitmap APIs more complicated... |
|
Commit message was updated. |
| objects are defined to have a flag indicating whether they are <span | ||
| data-x="concept-canvas-origin-clean">origin-clean</span>. All bitmaps start with their <span | ||
| data-x="concept-canvas-origin-clean">origin-clean</span> set to true. The flag is set to false | ||
| when cross-origin images or fonts are used.</p> |
There was a problem hiding this comment.
This should have a <dfn> for its own variable. The one for <canvas> doesn't really apply here.
|
Updated commit. Applied @annevk feedback |
|
|
||
| <p>The <code data-x="dom-canvas-toDataURL">toDataURL()</code>, <code | ||
| data-x="dom-canvas-toBlob">toBlob()</code>, and <code | ||
| data-x="dom-context-2d-getImageData">getImageData()</code> methods check the flag and will | ||
| throw a <code>SecurityError</code> exception rather than leak cross-origin data.</p> | ||
|
|
||
| <p>The value of the <span data-x="concept-ImageBitmap-origin-clean">origin-clean</span> flag is | ||
| propagated from a source <code>canvas</code> element's bitmap to a new <code>ImageBitmap</code> | ||
| object by createImageBitmap. Conversely, a destination <code>canvas</code> element's bitmap will |
There was a problem hiding this comment.
s/createImageBitmap/<code data-x="dom-createImageBitmap">createImageBitmap()</code>/
|
Made the corrections |
| propagated from a source <code>canvas</code> element's bitmap to a new <code>ImageBitmap</code> | ||
| object by <code data-x="dom-createImageBitmap">createImageBitmap()</code>. Conversely, a | ||
| destination <code>canvas</code> element's bitmap will have its <span | ||
| data-x="concept-ImageBitmap-origin-clean">origin-clean</span> flags set to false by drawImage if |
There was a problem hiding this comment.
This is the wrong origin-clean flag. Also, drawImage should be marked up similarly to createImageBitMap. Sorry for not catching this the last time around.
|
Also, once that is sorted @domenic can probably land this. I'll be away until January 1 and it doesn't seem necessary to wait until then. |
|
I still think this needs security review from @mikewest... am I wrong? |
|
I feel fairly confident that the security aspect is fine. But happy to let @mikewest take a look first. |
|
Hmm, I can trust you on that, so will merge after the above corrections are made. |
|
Okay. I made the changes. Switched back to "concept-canvas-origin-clean" everywhere. Edited the definition of "concept-canvas-origin-clean" to make it inclusive of ImageBitmap. Fixed line wrapping mistake. |
| contexts, such as those described in the section on the <code>CanvasRenderingContext2D</code> | ||
| object below, have an <dfn data-x="concept-canvas-origin-clean">origin-clean</dfn> flag, which can | ||
| be set to true or false. Initially, when the <code>canvas</code> element is created, its bitmap's | ||
| <p>The bitmaps of <code>canvas</code> elements, the bitmaps of ImageBitmap objects, as well as |
There was a problem hiding this comment.
Needs <code> around ImageBitmap. Also below.
Before this change, the content security policy of ImageBitmap did not allow any cross-origin content in ImageBitmap objects. Attempts to do so would cause SecurityError exceptions to be thrown. With this change, a tainting mechanism is added to ImageBitmap, which allows cross-origin content to be transported by ImageBitmaps while still protecting the bitmap image data from being accessed by script. The tainting mechanism uses an 'origin clean' flag that works much like the 'origin clean' flag of canvas element bitmaps.
|
Done. |
Before this change, the content security policy of ImageBitmap did not allow any cross-origin content in ImageBitmap objects. Attempts to do so would cause SecurityError exceptions to be thrown. With this change, a tainting mechanism is added to ImageBitmap, which allows cross-origin content to be transported by ImageBitmaps while still protecting the bitmap image data from being accessed by script. The tainting mechanism uses an 'origin clean' flag that works much like the 'origin clean' flag of canvas element bitmaps. PR #385
|
Merged as 083c57c, woo! |
Currently, image bitmap creation fails when the source is from another origin
or is tainted with cross-origin content. This is unnecessarily restrictive and
hinders use cases envisaged in the OffscreenCanvas feature proposal.