Change ImageBitmap to allow cross-origin content

junov · domenic · commit 083c57cc3799 · 2015-12-20T00:55:50.000-05:00
Before this change, the content security policy of ImageBitmap did not allow any cross-origin content in ImageBitmap objects. Attempts to do so would cause SecurityError exceptions to be thrown. With this change, a tainting mechanism is added to ImageBitmap, which allows cross-origin content to be transported by ImageBitmaps while still protecting the bitmap image data from being accessed by script. The tainting mechanism uses an 'origin clean' flag that works much like the 'origin clean' flag of canvas element bitmaps. PR #385
diff --git a/source b/source
@@ -60715,13 +60715,13 @@ callback <dfn>BlobCallback</dfn> = void (<span>Blob</span>? blob);</pre>
 
   <hr>
 
-<!--ADD-TOPIC:Security-->
-  <p>The bitmaps of <code>canvas</code> elements, as well as some of the bitmaps of rendering
-  contexts, such as those described in the section on the <code>CanvasRenderingContext2D</code>
-  object below, have an <dfn data-x="concept-canvas-origin-clean">origin-clean</dfn> flag, which can
-  be set to true or false. Initially, when the <code>canvas</code> element is created, its bitmap's
-  <span data-x="concept-canvas-origin-clean">origin-clean</span> flag must be set to true.</p>
-<!--REMOVE-TOPIC:Security-->
+  <p>The bitmaps of <code>canvas</code> elements, the bitmaps of <code>ImageBitmap</code> objects,
+  as well as some of the bitmaps of rendering contexts, such as those described in the section on
+  the <code>CanvasRenderingContext2D</code> object below, have an <dfn
+  data-x="concept-canvas-origin-clean">origin-clean</dfn> flag, which can be set to true or false.
+  Initially, when the <code>canvas</code> element or <code>ImageBitmap</code> object is created,
+  its bitmap's <span data-x="concept-canvas-origin-clean">origin-clean</span> flag must be set to
+  true.</p>
 
   <p>A <code>canvas</code> bitmap can also have a <span>hit region list</span>, as described in the
   <code>CanvasRenderingContext2D</code> section below.</p>
@@ -67294,7 +67294,6 @@ function AddCloud(data, x, y) { ... }</pre>
   </div>
 
 
-<!--ADD-TOPIC:Security-->
   <div w-nodev>
 
   <h5>Security with <code>canvas</code> elements</h5>
@@ -67305,22 +67304,31 @@ function AddCloud(data, x, y) { ... }</pre>
   access information (e.g. read pixels) from images from another origin (one that isn't the <span
   data-x="same origin">same</span>).</p>
 
-  <p>To mitigate this, bitmaps used with <code>canvas</code> elements are defined to have a flag
-  indicating whether they are <span data-x="concept-canvas-origin-clean">origin-clean</span>. All
-  bitmaps start with their <span data-x="concept-canvas-origin-clean">origin-clean</span> set to
-  true. The flag is set to false when cross-origin images or fonts are used.</p>
+  <p>To mitigate this, bitmaps used with <code>canvas</code> elements and <code>ImageBitmap</code>
+  objects are defined to have a flag indicating whether they are <span
+  data-x="concept-canvas-origin-clean">origin-clean</span>. All bitmaps start with their <span
+  data-x="concept-canvas-origin-clean">origin-clean</span> set to true. The flag is set to
+  false when cross-origin images or fonts are used.</p>
 
   <p>The <code data-x="dom-canvas-toDataURL">toDataURL()</code>, <code
   data-x="dom-canvas-toBlob">toBlob()</code>, and <code
   data-x="dom-context-2d-getImageData">getImageData()</code> methods check the flag and will
   throw a <code>SecurityError</code> exception rather than leak cross-origin data.</p>
 
+  <p>The value of the <span data-x="concept-canvas-origin-clean">origin-clean</span> flag is
+  propagated from a source <code>canvas</code> element's bitmap to a new <code>ImageBitmap</code>
+  object by <code data-x="dom-createImageBitmap">createImageBitmap()</code>. Conversely, a
+  destination <code>canvas</code> element's bitmap will have its <span
+  data-x="concept-canvas-origin-clean">origin-clean</span> flags set to false by <code
+  data-x="dom-context-2d-drawImage">drawImage</code> if the source image is an 
+  <code>ImageBitmap</code> object whose bitmap has its <span
+  data-x="concept-canvas-origin-clean">origin-clean</span> flag set to false.</p>
+
   <p>The flag can be reset in certain situations; for example, when a
-  <code>CanvasRenderingContext2D</code> is bound to a new <code>canvas</code>, the bitmap is cleared
-  and its flag reset.</p>
+  <code>CanvasRenderingContext2D</code> is bound to a new <code>canvas</code>, the bitmap is
+  cleared and its flag reset.</p>
 
   </div>
-<!--REMOVE-TOPIC:Security-->
 
 
 <!--TOPIC:HTML-->
@@ -90500,9 +90508,15 @@ interface <dfn>ImageBitmapFactories</dfn> {
   object's media data can be decoded without errors, it is said to be <dfn
   data-x="concept-ImageBitmap-good">fully decodable</dfn>.</p>
 
+  <p>An <code>ImageBitmap</code> object's bitmap has an <span
+  data-x="concept-canvas-origin-clean">origin-clean</span> flag, which indicates whether the
+  bitmap is tainted by content from a different <span>origin</span>. The flag is initially set to
+  true and may be changed to false by the steps of <code
+  data-x="dom-createImageBitmap">createImageBitmap()</code>.</p>
+
   <p>An <code>ImageBitmap</code> object can be obtained from a variety of different objects, using
-  the <dfn><code data-x="dom-createImageBitmap">createImageBitmap()</code></dfn> method. When invoked, the
-  method must act as follows:</p>
+  the <dfn><code data-x="dom-createImageBitmap">createImageBitmap()</code></dfn> method. When
+  invoked, the method must act as follows:</p>
   <!-- the canvas createPattern() and drawImage() methods have similar requirements -->
 
   <dl>
@@ -90520,12 +90534,6 @@ interface <dfn>ImageBitmapFactories</dfn> {
      available</span>, then return a promise rejected with an <code>InvalidStateError</code> exception and abort these
      steps.</p></li>
 
-<!--ADD-TOPIC:Security-->
-     <li><p>If the <span>origin</span> of the <code>img</code> element's image is not the <span>same
-     origin</span> as the <span>origin</span> specified by the <span>entry settings object</span>,
-     then return a promise rejected with a <code>SecurityError</code> exception and abort these steps.</p></li>
-<!--REMOVE-TOPIC:Security-->
-
      <li><p>If the <code>img</code> element's media data is not a bitmap (e.g. it's a vector
      graphic), then return a promise rejected with an <code>InvalidStateError</code> exception and abort these
      steps.</p></li>
@@ -90539,6 +90547,11 @@ interface <dfn>ImageBitmapFactories</dfn> {
      supported or is disabled), or, if there is no such image, the first frame of the
      animation.</p></li>
 
+     <li><p>If the <span>origin</span> of the <code>img</code> element's image is not the
+     <span>same origin</span> as the <span>origin</span> specified by the <span>entry settings
+     object</span>, then set the <span data-x="concept-canvas-origin-clean">origin-clean
+     </span> flag of the <code>ImageBitmap</code> object's bitmap to false.</p></li>
+
      <li><p>Return a new promise, but continue running these steps
      <span>in parallel</span>.</p></li>
 
@@ -90562,12 +90575,6 @@ interface <dfn>ImageBitmapFactories</dfn> {
      data-x="dom-media-NETWORK_EMPTY">NETWORK_EMPTY</code>, then return a promise rejected with an
      <code>InvalidStateError</code> exception and abort these steps.</p></li>
 
-<!--ADD-TOPIC:Security-->
-     <li><p>If the <span>origin</span> of the <code>video</code> element is not the <span>same
-     origin</span> as the <span>origin</span> specified by the <span>entry settings object</span>,
-     then return a promise rejected with a <code>SecurityError</code> exception and abort these steps.</p></li>
-<!--REMOVE-TOPIC:Security-->
-
      <li><p>If the <code>video</code> element's <code
      data-x="dom-media-readyState">readyState</code> attribute is either <code
      data-x="dom-media-HAVE_NOTHING">HAVE_NOTHING</code> or <code
@@ -90582,6 +90589,11 @@ interface <dfn>ImageBitmapFactories</dfn> {
      data-x="concept-video-intrinsic-height">intrinsic height</span> (i.e. after any aspect-ratio
      correction has been applied), <span>cropped to the source rectangle</span>.</p>
 
+     <li><p>If the <span>origin</span> of the <code>video</code> element is not the <span>same
+     origin</span> as the <span>origin</span> specified by the <span>entry settings object</span>,
+     then set the <span data-x="concept-canvas-origin-clean">origin-clean</span> flag of the
+     <code>ImageBitmap</code> object's bitmap to false.</p></li>
+
      <li><p>Return a new promise, but continue running these steps
      <span>in parallel</span>.</p></li>
 
@@ -90600,12 +90612,6 @@ interface <dfn>ImageBitmapFactories</dfn> {
      <li><p>If either the <var>sw</var> or <var>sh</var> arguments are specified
      but zero, return a promise rejected with an <code>IndexSizeError</code> exception and abort these steps.</p></li>
 
-<!--ADD-TOPIC:Security-->
-     <li><p>If the <code>canvas</code> element's bitmap data does not have its <span
-     data-x="concept-canvas-origin-clean">origin-clean</span> flag set, then return a promise rejected with an
-     <code>InvalidStateError</code> exception and abort these steps.</p></li>
-<!--REMOVE-TOPIC:Security-->
-
      <li><p>If the <code>canvas</code> element's bitmap has either a horizontal dimension or a
      vertical dimension equal to zero, then return a promise rejected with an <code>InvalidStateError</code> exception and
      abort these steps.</p></li>
@@ -90616,6 +90622,11 @@ interface <dfn>ImageBitmapFactories</dfn> {
      <code>canvas</code> element's bitmap data, <span>cropped to the source
      rectangle</span>.</p></li>
 
+     <li><p>Set the <span data-x="concept-canvas-origin-clean">origin-clean</span> flag of the
+     <code>ImageBitmap</code> object's bitmap to the same value as the <span
+     data-x="concept-canvas-origin-clean">origin-clean</span> flag of the <code>canvas</code>
+     element's bitmap.</p></li>
+
      <li><p>Return a new promise, but continue running these steps
      <span>in parallel</span>.</p></li>
 
@@ -90707,12 +90718,6 @@ interface <dfn>ImageBitmapFactories</dfn> {
      <li><p>If either the <var>sw</var> or <var>sh</var> arguments are specified
      but zero, return a promise rejected with an <code>IndexSizeError</code> exception and abort these steps.</p></li>
 
-<!--ADD-TOPIC:Security-->
-     <li><p>If the <code>CanvasRenderingContext2D</code> object's <span>scratch bitmap</span> does
-     not have its <span data-x="concept-canvas-origin-clean">origin-clean</span> flag set, then return a promise rejected with
-     an <code>InvalidStateError</code> exception and abort these steps.</p></li>
-<!--REMOVE-TOPIC:Security-->
-
      <li><p>If the <code>CanvasRenderingContext2D</code> object's <span>scratch bitmap</span> has
      either a horizontal dimension or a vertical dimension equal to zero, then return a promise rejected with an
      <code>InvalidStateError</code> exception and abort these steps.</p></li>
@@ -90723,6 +90728,11 @@ interface <dfn>ImageBitmapFactories</dfn> {
      <code>CanvasRenderingContext2D</code> object's <span>scratch bitmap</span>, <span>cropped to
      the source rectangle</span>.</p></li>
 
+     <li><p>Set the <span data-x="concept-canvas-origin-clean">origin-clean</span> flag of the
+     <code>ImageBitmap</code> object's bitmap to the same value as the <span
+     data-x="concept-canvas-origin-clean">origin-clean</span> flag of the
+     <code>CanvasRenderingContext2D</code> object's <span>scratch bitmap</span></p></li>
+
      <li><p>Return a new promise, but continue running these steps
      <span>in parallel</span>.</p></li>
 
@@ -90744,8 +90754,13 @@ interface <dfn>ImageBitmapFactories</dfn> {
 
      <li><p>Create a new <code>ImageBitmap</code> object.</p></li>
 
-     <li><p>Let the <code>ImageBitmap</code> object's bitmap data be a copy of the <var>image</var> argument's bitmap data, <span>cropped to the source
-     rectangle</span>.</p></li>
+     <li><p>Let the <code>ImageBitmap</code> object's bitmap data be a copy of the <var>image</var>
+     argument's bitmap data, <span>cropped to the source rectangle</span>.</p></li>
+
+     <li><p>Set the <span data-x="concept-canvas-origin-clean">origin-clean</span> flag of the
+     <code>ImageBitmap</code> object's bitmap to the same value as the <span
+     data-x="concept-canvas-origin-clean">origin-clean</span> flag of the bitmap of the
+     <var>image</var> argument.</p></li>
 
      <li><p>Return a new promise, but continue running these steps
      <span>in parallel</span>.</p></li>
