diff options
| author | treib <treib@chromium.org> | 2016-01-11 08:20:20 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-01-11 16:21:06 +0000 |
| commit | f211b743e659391cf5b674dfe2ea29f6b0fe2b29 (patch) | |
| tree | 8d7ab359f4dc926bd43d8eee4e87f7534e4ac2b4 /third_party/WebKit | |
| parent | 04a313090df5eb6a419becc1588449c74aa1a7ae (diff) | |
| download | chromium_src-f211b743e659391cf5b674dfe2ea29f6b0fe2b29.zip chromium_src-f211b743e659391cf5b674dfe2ea29f6b0fe2b29.tar.gz chromium_src-f211b743e659391cf5b674dfe2ea29f6b0fe2b29.tar.bz2 | |
Revert of Add a origin clean flag in ImageBitmap class (patchset #14 id:260001 of https://codereview.chromium.org/1532473002/ )
Reason for revert:
Seems to have broken Oilpan builds:
https://build.chromium.org/p/chromium.webkit/buildstatus?builder=WebKit%20Mac%20Oilpan&number=28566
https://build.chromium.org/p/chromium.webkit/buildstatus?builder=WebKit%20Linux%20Oilpan%20Builder&number=100
Original issue's description:
> Add a origin clean flag in ImageBitmap class
>
> This CL adds a origin clean flag, such that in the case when the source
> of the ImageBitmap contains cross-origin content, we can simply set this
> flag instead of reject the promise.
>
> BUG=569779
>
> Committed: https://crrev.com/10b9b4435e25fb8ede2122482426ae81c7980630
> Cr-Commit-Position: refs/heads/master@{#368595}
TBR=junov@chromium.org,xidachen@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=569779
Review URL: https://codereview.chromium.org/1577783003
Cr-Commit-Position: refs/heads/master@{#368598}
Diffstat (limited to 'third_party/WebKit')
11 files changed, 88 insertions, 123 deletions
diff --git a/third_party/WebKit/LayoutTests/fast/canvas/canvas-createImageBitmap-drawImage.html b/third_party/WebKit/LayoutTests/fast/canvas/canvas-createImageBitmap-drawImage.html index cd81dcf..6442e2a 100644 --- a/third_party/WebKit/LayoutTests/fast/canvas/canvas-createImageBitmap-drawImage.html +++ b/third_party/WebKit/LayoutTests/fast/canvas/canvas-createImageBitmap-drawImage.html @@ -154,6 +154,7 @@ function loaded() { if (imageLoaded && imageBitmapLoaded && blobLoaded) { // check all of these elements elements = [image, aCanvas, d, testBitmap, blob]; + // wait for callback to finish before each check to ensure synchronous behavior nextCheck(0); } diff --git a/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-createImageBitmap-expected.txt b/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-createImageBitmap-expected.txt index d6ab0ee..21bbc26 100644 --- a/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-createImageBitmap-expected.txt +++ b/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-createImageBitmap-expected.txt @@ -1,17 +1,15 @@ -The image bitmap factories should not throw exceptions on cross-origin access. +The image bitmap factories should throw exceptions on cross-origin access. On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". -PASS Resolved as expected: image -PASS ImageBitmap is tainted. Threw error: SecurityError: Failed to execute 'getImageData' on 'CanvasRenderingContext2D': The canvas has been tainted by cross-origin data. -PASS Resolved as expected: canvas -PASS ImageBitmap is tainted. Threw error: SecurityError: Failed to execute 'getImageData' on 'CanvasRenderingContext2D': The canvas has been tainted by cross-origin data. -PASS Resolved as expected: imageBitmap -PASS ImageBitmap is tainted. Threw error: SecurityError: Failed to execute 'getImageData' on 'CanvasRenderingContext2D': The canvas has been tainted by cross-origin data. -PASS Resolved as expected: video -PASS ImageBitmap is tainted. Threw error: SecurityError: Failed to execute 'getImageData' on 'CanvasRenderingContext2D': The canvas has been tainted by cross-origin data. +PASS Rejected as expected: image +PASS reason instanceof Error is true +SecurityError: Failed to execute 'createImageBitmap' on 'Window': Cross-origin access to the source image is denied. +PASS Rejected as expected: video +PASS reason instanceof Error is true +SecurityError: Failed to execute 'createImageBitmap' on 'Window': Cross-origin access to the source video is denied. PASS successfullyParsed is true TEST COMPLETE - + diff --git a/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-createImageBitmap.html b/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-createImageBitmap.html index 3ddf857..b5b5624 100644 --- a/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-createImageBitmap.html +++ b/third_party/WebKit/LayoutTests/http/tests/security/cross-origin-createImageBitmap.html @@ -3,80 +3,44 @@ <body> <script src="/js-test-resources/js-test.js"></script> <script> -description("The image bitmap factories should not throw exceptions on cross-origin access."); +description("The image bitmap factories should throw exceptions on cross-origin access."); window.jsTestIsAsync = true; var reason; -function shouldBeAcceptedAndTainted(promise, message) { - return promise.then(function(imageBitmap) { - testPassed('Resolved as expected: ' + message); - shouldBeTainted(imageBitmap); +function shouldBeRejected(promise, message) { + return promise.then(function() { + testFailed('Resolved unexpectedly: ' + message); }, function(e) { reason = e; - testFailed('Rejected unexpectedly: ' + message); + testPassed('Rejected as expected: ' + message); shouldBeTrue('reason instanceof Error'); debug(e); }); } -function shouldBeTainted(imageBitmap) { - var canvas = document.createElement("canvas"); - canvas.width = 10; - canvas.height = 10; - var context = canvas.getContext("2d"); - context.drawImage(imageBitmap, 0, 0, 10, 10); - try { - var imageData = context.getImageData(0, 0, 10, 10); - testFailed("ImageBitmap is not tainted."); - } catch (e) { - testPassed("ImageBitmap is tainted. Threw error: " + e); - } -} - -var image = document.createElement('img'); -image.src = 'http://localhost:8080/security/resources/abe.png'; -var video = document.createElement('video'); -video.src = 'http://localhost:8080/media/resources/load-video.php?name=test.ogv&type=video/ogv'; - -image.addEventListener('load', function() { - document.body.appendChild(image); - shouldBeAcceptedAndTainted(createImageBitmap(image, 0, 0, 10, 10), 'image') -.then(function() { - var canvas = document.createElement("canvas"); - canvas.width = 10; - canvas.height = 10; - var context = canvas.getContext("2d"); - // taint the canvas - context.drawImage(image, 0, 0, 10, 10); - shouldBeAcceptedAndTainted(createImageBitmap(canvas, 0, 0, 10, 10), 'canvas') -.then(function() { - createImageBitmap(image).then(imageBitmap => { - shouldBeAcceptedAndTainted(createImageBitmap(imageBitmap, 0, 0, 10, 10), 'imageBitmap') -.then(function() { - document.body.appendChild(video); - video.play(); - video.addEventListener('playing', function() { - shouldBeAcceptedAndTainted(createImageBitmap(video, 0, 0, 10, 10), 'video') -.then(finishJSTest, ()=> { - testFailed("Unexpected failure"); - finishJSTest(); -}); -}); -}, ()=> { - testFailed("Unexpected failure"); - finishJSTest(); -}); -}); -}, ()=> { - testFailed("Unexpected failure"); - finishJSTest(); -}); -}, ()=> { - testFailed("Unexpected failure"); - finishJSTest(); -}); -}); +Promise.resolve().then(function() { + return new Promise(function(resolve, reject) { + var image = document.createElement('img'); + image.addEventListener('load', resolve.bind(undefined, image)); + image.src = 'http://localhost:8080/security/resources/abe.png'; + document.body.appendChild(image); + }).then(function(image) { + return shouldBeRejected(createImageBitmap(image, 0, 0, 10, 10), 'image'); + }); +}).then(function() { + return new Promise(function(resolve, reject) { + var video = document.createElement('video'); + video.src = 'http://localhost:8080/media/resources/load-video.php?name=test.ogv&type=video/ogv'; + video.addEventListener('playing', resolve.bind(undefined, video)); + document.body.appendChild(video); + video.play(); + }).then(function(video) { + return shouldBeRejected(createImageBitmap(video, 0, 0, 10, 10), 'video'); + }); +}).catch(function(e) { + testFailed('Unexpected rejection: ' + e); +}).then(finishJSTest, finishJSTest); </script> </body> </html> diff --git a/third_party/WebKit/Source/core/frame/ImageBitmap.cpp b/third_party/WebKit/Source/core/frame/ImageBitmap.cpp index 4c30836..2d42f46 100644 --- a/third_party/WebKit/Source/core/frame/ImageBitmap.cpp +++ b/third_party/WebKit/Source/core/frame/ImageBitmap.cpp @@ -45,13 +45,12 @@ static PassRefPtr<StaticBitmapImage> cropImage(Image* image, const IntRect& crop return StaticBitmapImage::create(adoptRef(surface->newImageSnapshot())); } -ImageBitmap::ImageBitmap(HTMLImageElement* image, const IntRect& cropRect, Document* document) +ImageBitmap::ImageBitmap(HTMLImageElement* image, const IntRect& cropRect) { m_image = cropImage(image->cachedImage()->image(), cropRect); - m_image->setOriginClean(!image->wouldTaintOrigin(document->securityOrigin())); } -ImageBitmap::ImageBitmap(HTMLVideoElement* video, const IntRect& cropRect, Document* document) +ImageBitmap::ImageBitmap(HTMLVideoElement* video, const IntRect& cropRect) { IntSize playerSize; if (video->webMediaPlayer()) @@ -66,14 +65,12 @@ ImageBitmap::ImageBitmap(HTMLVideoElement* video, const IntRect& cropRect, Docum IntPoint dstPoint = IntPoint(std::max(0, -cropRect.x()), std::max(0, -cropRect.y())); video->paintCurrentFrame(buffer->canvas(), IntRect(dstPoint, srcRect.size()), nullptr); m_image = StaticBitmapImage::create(buffer->newSkImageSnapshot(PreferNoAcceleration)); - m_image->setOriginClean(!video->wouldTaintOrigin(document->securityOrigin())); } ImageBitmap::ImageBitmap(HTMLCanvasElement* canvas, const IntRect& cropRect) { ASSERT(canvas->isPaintable()); m_image = cropImage(canvas->copiedImage(BackBuffer, PreferAcceleration).get(), cropRect); - m_image->setOriginClean(canvas->originClean()); } ImageBitmap::ImageBitmap(ImageData* data, const IntRect& cropRect) @@ -101,13 +98,11 @@ ImageBitmap::ImageBitmap(ImageData* data, const IntRect& cropRect) ImageBitmap::ImageBitmap(ImageBitmap* bitmap, const IntRect& cropRect) { m_image = cropImage(bitmap->bitmapImage(), cropRect); - m_image->setOriginClean(bitmap->originClean()); } -ImageBitmap::ImageBitmap(PassRefPtrWillBeRawPtr<StaticBitmapImage> image, const IntRect& cropRect) +ImageBitmap::ImageBitmap(Image* image, const IntRect& cropRect) { - m_image = cropImage(image.get(), cropRect); - m_image->setOriginClean(image->originClean()); + m_image = cropImage(image, cropRect); } ImageBitmap::ImageBitmap(PassRefPtr<StaticBitmapImage> image) @@ -126,16 +121,16 @@ ImageBitmap::~ImageBitmap() { } -PassRefPtrWillBeRawPtr<ImageBitmap> ImageBitmap::create(HTMLImageElement* image, const IntRect& cropRect, Document* document) +PassRefPtrWillBeRawPtr<ImageBitmap> ImageBitmap::create(HTMLImageElement* image, const IntRect& cropRect) { IntRect normalizedCropRect = normalizeRect(cropRect); - return adoptRefWillBeNoop(new ImageBitmap(image, normalizedCropRect, document)); + return adoptRefWillBeNoop(new ImageBitmap(image, normalizedCropRect)); } -PassRefPtrWillBeRawPtr<ImageBitmap> ImageBitmap::create(HTMLVideoElement* video, const IntRect& cropRect, Document* document) +PassRefPtrWillBeRawPtr<ImageBitmap> ImageBitmap::create(HTMLVideoElement* video, const IntRect& cropRect) { IntRect normalizedCropRect = normalizeRect(cropRect); - return adoptRefWillBeNoop(new ImageBitmap(video, normalizedCropRect, document)); + return adoptRefWillBeNoop(new ImageBitmap(video, normalizedCropRect)); } PassRefPtrWillBeRawPtr<ImageBitmap> ImageBitmap::create(HTMLCanvasElement* canvas, const IntRect& cropRect) @@ -156,7 +151,7 @@ PassRefPtrWillBeRawPtr<ImageBitmap> ImageBitmap::create(ImageBitmap* bitmap, con return adoptRefWillBeNoop(new ImageBitmap(bitmap, normalizedCropRect)); } -PassRefPtrWillBeRawPtr<ImageBitmap> ImageBitmap::create(PassRefPtr<StaticBitmapImage> image, const IntRect& cropRect) +PassRefPtrWillBeRawPtr<ImageBitmap> ImageBitmap::create(Image* image, const IntRect& cropRect) { IntRect normalizedCropRect = normalizeRect(cropRect); return adoptRefWillBeNoop(new ImageBitmap(image, normalizedCropRect)); diff --git a/third_party/WebKit/Source/core/frame/ImageBitmap.h b/third_party/WebKit/Source/core/frame/ImageBitmap.h index 6af36c0..59fbf33 100644 --- a/third_party/WebKit/Source/core/frame/ImageBitmap.h +++ b/third_party/WebKit/Source/core/frame/ImageBitmap.h @@ -28,13 +28,13 @@ class CORE_EXPORT ImageBitmap final : public RefCountedWillBeGarbageCollectedFin DEFINE_WRAPPERTYPEINFO(); WILL_BE_USING_GARBAGE_COLLECTED_MIXIN(ImageBitmap); public: - static PassRefPtrWillBeRawPtr<ImageBitmap> create(HTMLImageElement*, const IntRect&, Document*); - static PassRefPtrWillBeRawPtr<ImageBitmap> create(HTMLVideoElement*, const IntRect&, Document*); + static PassRefPtrWillBeRawPtr<ImageBitmap> create(HTMLImageElement*, const IntRect&); + static PassRefPtrWillBeRawPtr<ImageBitmap> create(HTMLVideoElement*, const IntRect&); static PassRefPtrWillBeRawPtr<ImageBitmap> create(HTMLCanvasElement*, const IntRect&); static PassRefPtrWillBeRawPtr<ImageBitmap> create(ImageData*, const IntRect&); static PassRefPtrWillBeRawPtr<ImageBitmap> create(ImageBitmap*, const IntRect&); + static PassRefPtrWillBeRawPtr<ImageBitmap> create(Image*, const IntRect&); static PassRefPtrWillBeRawPtr<ImageBitmap> create(PassRefPtr<StaticBitmapImage>); - static PassRefPtrWillBeRawPtr<ImageBitmap> create(PassRefPtr<StaticBitmapImage>, const IntRect&); StaticBitmapImage* bitmapImage() const { return (m_image) ? m_image.get() : nullptr; } unsigned long width() const; @@ -42,14 +42,13 @@ public: IntSize size() const; bool isNeutered() const { return m_isNeutered; } - bool originClean() const { return m_image->originClean(); } PassRefPtr<StaticBitmapImage> transfer(); ~ImageBitmap() override; // CanvasImageSource implementation PassRefPtr<Image> getSourceImageForCanvas(SourceImageStatus*, AccelerationHint) const override; - bool wouldTaintOrigin(SecurityOrigin*) const override { return !m_image->originClean(); } + bool wouldTaintOrigin(SecurityOrigin*) const override { return false; } void adjustDrawRects(FloatRect* srcRect, FloatRect* dstRect) const override; FloatSize elementSize() const override; @@ -60,13 +59,13 @@ public: DECLARE_VIRTUAL_TRACE(); private: - ImageBitmap(HTMLImageElement*, const IntRect&, Document*); - ImageBitmap(HTMLVideoElement*, const IntRect&, Document*); + ImageBitmap(HTMLImageElement*, const IntRect&); + ImageBitmap(HTMLVideoElement*, const IntRect&); ImageBitmap(HTMLCanvasElement*, const IntRect&); ImageBitmap(ImageData*, const IntRect&); ImageBitmap(ImageBitmap*, const IntRect&); + ImageBitmap(Image*, const IntRect&); ImageBitmap(PassRefPtr<StaticBitmapImage>); - ImageBitmap(PassRefPtr<StaticBitmapImage>, const IntRect&); // ImageLoaderClient void notifyImageSourceChanged() override; diff --git a/third_party/WebKit/Source/core/frame/ImageBitmapTest.cpp b/third_party/WebKit/Source/core/frame/ImageBitmapTest.cpp index f22d259..54f9870 100644 --- a/third_party/WebKit/Source/core/frame/ImageBitmapTest.cpp +++ b/third_party/WebKit/Source/core/frame/ImageBitmapTest.cpp @@ -85,17 +85,13 @@ TEST_F(ImageBitmapTest, ImageResourceConsistency) imageElement->setImageResource(new ImageResource(StaticBitmapImage::create(m_image).get())); RefPtrWillBeRawPtr<ImageBitmap> imageBitmapNoCrop = ImageBitmap::create(imageElement.get(), - IntRect(0, 0, m_image->width(), m_image->height()), - &(imageElement->document())); + IntRect(0, 0, m_image->width(), m_image->height())); RefPtrWillBeRawPtr<ImageBitmap> imageBitmapInteriorCrop = ImageBitmap::create(imageElement.get(), - IntRect(m_image->width() / 2, m_image->height() / 2, m_image->width() / 2, m_image->height() / 2), - &(imageElement->document())); + IntRect(m_image->width() / 2, m_image->height() / 2, m_image->width() / 2, m_image->height() / 2)); RefPtrWillBeRawPtr<ImageBitmap> imageBitmapExteriorCrop = ImageBitmap::create(imageElement.get(), - IntRect(-m_image->width() / 2, -m_image->height() / 2, m_image->width(), m_image->height()), - &(imageElement->document())); + IntRect(-m_image->width() / 2, -m_image->height() / 2, m_image->width(), m_image->height())); RefPtrWillBeRawPtr<ImageBitmap> imageBitmapOutsideCrop = ImageBitmap::create(imageElement.get(), - IntRect(-m_image->width(), -m_image->height(), m_image->width(), m_image->height()), - &(imageElement->document())); + IntRect(-m_image->width(), -m_image->height(), m_image->width(), m_image->height())); ASSERT_EQ(imageBitmapNoCrop->bitmapImage()->imageForCurrentFrame(), imageElement->cachedImage()->image()->imageForCurrentFrame()); ASSERT_NE(imageBitmapInteriorCrop->bitmapImage()->imageForCurrentFrame(), imageElement->cachedImage()->image()->imageForCurrentFrame()); @@ -150,21 +146,16 @@ TEST_F(ImageBitmapTest, ImageBitmapLiveResourcePriority) ASSERT_EQ(memoryCache()->priority(imageOutsideCrop->cachedImage()), MemoryCacheLiveResourcePriorityLow); RefPtrWillBePersistent<ImageBitmap> imageBitmapInteriorCrop = ImageBitmap::create(imageInteriorCrop.get(), - IntRect(m_image->width() / 2, m_image->height() / 2, m_image->width(), m_image->height()), - &(imageInteriorCrop->document())); + IntRect(m_image->width() / 2, m_image->height() / 2, m_image->width(), m_image->height())); { RefPtrWillBePersistent<ImageBitmap> imageBitmapNoCrop = ImageBitmap::create(imageNoCrop.get(), - IntRect(0, 0, m_image->width(), m_image->height()), - &(imageNoCrop->document())); + IntRect(0, 0, m_image->width(), m_image->height())); RefPtrWillBePersistent<ImageBitmap> imageBitmapInteriorCrop2 = ImageBitmap::create(imageInteriorCrop.get(), - IntRect(m_image->width() / 2, m_image->height() / 2, m_image->width(), m_image->height()), - &(imageInteriorCrop->document())); + IntRect(m_image->width() / 2, m_image->height() / 2, m_image->width(), m_image->height())); RefPtrWillBePersistent<ImageBitmap> imageBitmapExteriorCrop = ImageBitmap::create(imageExteriorCrop.get(), - IntRect(-m_image->width() / 2, -m_image->height() / 2, m_image->width(), m_image->height()), - &(imageExteriorCrop->document())); + IntRect(-m_image->width() / 2, -m_image->height() / 2, m_image->width(), m_image->height())); RefPtrWillBePersistent<ImageBitmap> imageBitmapOutsideCrop = ImageBitmap::create(imageOutsideCrop.get(), - IntRect(-m_image->width(), -m_image->height(), m_image->width(), m_image->height()), - &(imageOutsideCrop->document())); + IntRect(-m_image->width(), -m_image->height(), m_image->width(), m_image->height())); // Images are not referenced by ImageBitmap anymore, so always CacheLiveResourcePriorityLow ASSERT_EQ(memoryCache()->priority(imageNoCrop->cachedImage()), MemoryCacheLiveResourcePriorityLow); @@ -196,8 +187,7 @@ TEST_F(ImageBitmapTest, ImageBitmapSourceChanged) image->setImageResource(originalImageResource.get()); RefPtrWillBeRawPtr<ImageBitmap> imageBitmap = ImageBitmap::create(image.get(), - IntRect(0, 0, m_image->width(), m_image->height()), - &(image->document())); + IntRect(0, 0, m_image->width(), m_image->height())); ASSERT_EQ(imageBitmap->bitmapImage()->imageForCurrentFrame(), originalImageResource->image()->imageForCurrentFrame()); ResourcePtr<ImageResource> newImageResource = new ImageResource( diff --git a/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp b/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp index 07a62ea..11eb39f 100644 --- a/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp +++ b/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp @@ -1003,6 +1003,10 @@ IntSize HTMLCanvasElement::bitmapSourceSize() const ScriptPromise HTMLCanvasElement::createImageBitmap(ScriptState* scriptState, EventTarget& eventTarget, int sx, int sy, int sw, int sh, ExceptionState& exceptionState) { ASSERT(eventTarget.toDOMWindow()); + if (!originClean()) { + exceptionState.throwSecurityError("The canvas element provided is tainted with cross-origin data."); + return ScriptPromise(); + } if (!sw || !sh) { exceptionState.throwDOMException(IndexSizeError, String::format("The source %s provided is 0.", sw ? "height" : "width")); return ScriptPromise(); diff --git a/third_party/WebKit/Source/core/html/HTMLImageElement.cpp b/third_party/WebKit/Source/core/html/HTMLImageElement.cpp index 6568ae8..f1fed96 100644 --- a/third_party/WebKit/Source/core/html/HTMLImageElement.cpp +++ b/third_party/WebKit/Source/core/html/HTMLImageElement.cpp @@ -699,7 +699,16 @@ ScriptPromise HTMLImageElement::createImageBitmap(ScriptState* scriptState, Even exceptionState.throwDOMException(IndexSizeError, String::format("The source %s provided is 0.", sw ? "height" : "width")); return ScriptPromise(); } - return ImageBitmapSource::fulfillImageBitmap(scriptState, ImageBitmap::create(this, IntRect(sx, sy, sw, sh), eventTarget.toDOMWindow()->document())); + if (!cachedImage()->image()->currentFrameHasSingleSecurityOrigin()) { + exceptionState.throwSecurityError("The source image contains image data from multiple origins."); + return ScriptPromise(); + } + Document* document = eventTarget.toDOMWindow()->document(); + if (!cachedImage()->passesAccessControlCheck(document->securityOrigin()) && document->securityOrigin()->taintsCanvas(src())) { + exceptionState.throwSecurityError("Cross-origin access to the source image is denied."); + return ScriptPromise(); + } + return ImageBitmapSource::fulfillImageBitmap(scriptState, ImageBitmap::create(this, IntRect(sx, sy, sw, sh))); } void HTMLImageElement::selectSourceURL(ImageLoader::UpdateFromElementBehavior behavior) diff --git a/third_party/WebKit/Source/core/html/HTMLVideoElement.cpp b/third_party/WebKit/Source/core/html/HTMLVideoElement.cpp index 38bda79..6847cd1 100644 --- a/third_party/WebKit/Source/core/html/HTMLVideoElement.cpp +++ b/third_party/WebKit/Source/core/html/HTMLVideoElement.cpp @@ -340,7 +340,16 @@ ScriptPromise HTMLVideoElement::createImageBitmap(ScriptState* scriptState, Even exceptionState.throwDOMException(IndexSizeError, String::format("The source %s provided is 0.", sw ? "height" : "width")); return ScriptPromise(); } - return ImageBitmapSource::fulfillImageBitmap(scriptState, ImageBitmap::create(this, IntRect(sx, sy, sw, sh), eventTarget.toDOMWindow()->document())); + if (!hasSingleSecurityOrigin()) { + exceptionState.throwSecurityError("The source video contains image data from multiple origins."); + return ScriptPromise(); + } + if (!webMediaPlayer()->didPassCORSAccessCheck() + && eventTarget.toDOMWindow()->document()->securityOrigin()->taintsCanvas(currentSrc())) { + exceptionState.throwSecurityError("Cross-origin access to the source video is denied."); + return ScriptPromise(); + } + return ImageBitmapSource::fulfillImageBitmap(scriptState, ImageBitmap::create(this, IntRect(sx, sy, sw, sh))); } } // namespace blink diff --git a/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp b/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp index c9226d9..11a21fd 100644 --- a/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp +++ b/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp @@ -183,14 +183,13 @@ void ImageBitmapFactories::ImageBitmapLoader::didFinishLoading() return; } - RefPtr<StaticBitmapImage> image = StaticBitmapImage::create(frame); - image->setOriginClean(true); + RefPtr<Image> image = StaticBitmapImage::create(frame); if (!m_cropRect.width() && !m_cropRect.height()) { // No cropping variant was called. m_cropRect = IntRect(IntPoint(), image->size()); } - RefPtrWillBeRawPtr<ImageBitmap> imageBitmap = ImageBitmap::create(image, m_cropRect); + RefPtrWillBeRawPtr<ImageBitmap> imageBitmap = ImageBitmap::create(image.get(), m_cropRect); m_resolver->resolve(imageBitmap.release()); m_factory->didFinishLoading(this); } diff --git a/third_party/WebKit/Source/platform/graphics/StaticBitmapImage.h b/third_party/WebKit/Source/platform/graphics/StaticBitmapImage.h index bd36802..b2e84d9 100644 --- a/third_party/WebKit/Source/platform/graphics/StaticBitmapImage.h +++ b/third_party/WebKit/Source/platform/graphics/StaticBitmapImage.h @@ -23,13 +23,10 @@ public: PassRefPtr<SkImage> imageForCurrentFrame() override; - bool originClean() const { return m_isOriginClean; } - void setOriginClean(bool flag) { m_isOriginClean = flag; } protected: StaticBitmapImage(PassRefPtr<SkImage>); RefPtr<SkImage> m_image; - bool m_isOriginClean = true; }; } // namespace blink |