Changeset 153876 in webkit
- Timestamp:
- Aug 8, 2013 11:39:52 PM (11 years ago)
- Location:
- trunk
- Files:
-
- 7 added
- 5 deleted
- 9 edited
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r153873 r153876 1 2013-08-08 Timothy Hatcher <timothy@apple.com> 2 3 Allow SVG images to be drawn into canvas without tainting. 4 https://bugs.webkit.org/show_bug.cgi?id=119492 5 6 Reviewed by Darin Adler. 7 8 * fast/canvas/svg-taint-expected.txt: Removed. 9 * fast/canvas/svg-taint.html: Removed. Obsolete. 10 * http/tests/security/canvas-remote-read-data-url-svg-image-expected.txt: Removed. 11 * http/tests/security/canvas-remote-read-data-url-svg-image.html: Removed. Obsolete. 12 * http/tests/security/canvas-remote-read-svg-image-expected.txt: Removed. 13 * http/tests/security/canvas-remote-read-svg-image.html: Removed. Obsolete. 14 * svg/as-image/resources/link-xhtml-svg.svg: Added. 15 * svg/as-image/resources/link-xhtml.svg: Added. 16 * svg/as-image/resources/link.svg: Added. 17 * svg/as-image/svg-canvas-link-not-colored-expected.txt: Added. 18 * svg/as-image/svg-canvas-link-not-colored.html: Added. 19 * svg/as-image/svg-canvas-not-tainted-expected.txt: Added. 20 * svg/as-image/svg-canvas-not-tainted.html: Added. 21 * svg/as-image/svg-canvas-xhtml-tainted-expected.txt: Added. 22 * svg/as-image/svg-canvas-xhtml-tainted.html: Added. 23 1 24 2013-08-08 Commit Queue <commit-queue@webkit.org> 2 25 -
trunk/LayoutTests/svg/as-image/svg-canvas-xhtml-tainted-expected.txt
r153875 r153876 1 1 CONSOLE MESSAGE: Unable to get image data from canvas because the canvas has been tainted by cross-origin data. 2 This tests that drawing a SVG image to a canvas taints the canvas 2 PASS window.ctx.getImageData(0, 0, 1, 1) threw exception Error: SecurityError: DOM Exception 18. 3 3 4 PASS: getImageData failed. Canvas tainted.5 -
trunk/Source/WebCore/ChangeLog
r153875 r153876 1 2013-08-08 Timothy Hatcher <timothy@apple.com> 2 3 Allow SVG images to be drawn into canvas without tainting. 4 https://bugs.webkit.org/show_bug.cgi?id=119492 5 6 Reviewed by Darin Adler. 7 8 Tests: svg/as-image/svg-canvas-not-tainted.html 9 svg/as-image/svg-canvas-link-not-colored.html 10 svg/as-image/svg-canvas-xhtml-tainted.html 11 12 * html/HTMLAnchorElement.cpp: 13 (WebCore::HTMLAnchorElement::parseAttribute): Call shouldProhibitLinks. 14 (WebCore::shouldProhibitLinks): Added. 15 * html/HTMLAnchorElement.h: 16 * html/HTMLImageElement.cpp: 17 (WebCore::HTMLImageElement::parseAttribute): Call shouldProhibitLinks. 18 * rendering/svg/RenderSVGRoot.cpp: 19 (WebCore::RenderSVGRoot::isEmbeddedThroughSVGImage): Use isInSVGImage. 20 * svg/SVGAElement.cpp: 21 (WebCore::SVGAElement::svgAttributeChanged): Call shouldProhibitLinks. 22 * svg/graphics/SVGImage.cpp: 23 (WebCore::SVGImage::hasSingleSecurityOrigin): Added. 24 (WebCore::isInSVGImage): Added. 25 * svg/graphics/SVGImage.h: 26 1 27 2013-08-08 Simon Fraser <simon.fraser@apple.com> 2 28 -
trunk/Source/WebCore/html/HTMLAnchorElement.cpp
r153772 r153876 43 43 #include "RenderImage.h" 44 44 #include "ResourceRequest.h" 45 #include "SVGImage.h" 45 46 #include "SecurityOrigin.h" 46 47 #include "SecurityPolicy.h" … … 246 247 if (name == hrefAttr) { 247 248 bool wasLink = isLink(); 248 setIsLink(!value.isNull() );249 setIsLink(!value.isNull() && !shouldProhibitLinks(this)); 249 250 if (wasLink != isLink()) 250 251 didAffectSelector(AffectedSelectorLink | AffectedSelectorVisited | AffectedSelectorEnabled); … … 600 601 } 601 602 603 bool shouldProhibitLinks(Element* element) 604 { 605 #if ENABLE(SVG) 606 return isInSVGImage(element); 607 #else 608 return false; 609 #endif 610 } 611 602 612 bool HTMLAnchorElement::willRespondToMouseClickEvents() 603 613 { -
trunk/Source/WebCore/html/HTMLAnchorElement.h
r153772 r153876 170 170 bool isEnterKeyKeydownEvent(Event*); 171 171 bool isLinkClick(Event*); 172 bool shouldProhibitLinks(Element*); 172 173 173 174 } // namespace WebCore -
trunk/Source/WebCore/html/HTMLImageElement.cpp
r153772 r153876 30 30 #include "EventNames.h" 31 31 #include "FrameView.h" 32 #include "HTMLAnchorElement.h" 32 33 #include "HTMLDocument.h" 33 34 #include "HTMLFormElement.h" … … 127 128 m_bestFitImageURL = bestFitSourceForImageAttributes(deviceScaleFactor, fastGetAttribute(srcAttr), fastGetAttribute(srcsetAttr)); 128 129 m_imageLoader.updateFromElementIgnoringPreviousError(); 129 } 130 else if (name == usemapAttr) 131 setIsLink(!value.isNull()); 130 } else if (name == usemapAttr) 131 setIsLink(!value.isNull() && !shouldProhibitLinks(this)); 132 132 else if (name == onbeforeloadAttr) 133 133 setAttributeEventListener(eventNames().beforeloadEvent, createAttributeEventListener(this, name, value)); -
trunk/Source/WebCore/rendering/svg/RenderSVGRoot.cpp
r152780 r153876 39 39 #include "RenderSVGResourceContainer.h" 40 40 #include "RenderView.h" 41 #include "SVGImage.h" 41 42 #include "SVGLength.h" 42 43 #include "SVGRenderingContext.h" … … 125 126 if (!node()) 126 127 return false; 127 128 Frame* frame = node()->document()->frame(); 129 if (!frame) 130 return false; 131 132 // Test whether we're embedded through an img. 133 if (!frame->page()) 134 return false; 135 136 ChromeClient* chromeClient = frame->page()->chrome().client(); 137 if (!chromeClient || !chromeClient->isSVGImageChromeClient()) 138 return false; 139 140 return true; 128 return isInSVGImage(toSVGSVGElement(node())); 141 129 } 142 130 -
trunk/Source/WebCore/svg/SVGAElement.cpp
r153559 r153876 135 135 if (SVGURIReference::isKnownAttribute(attrName)) { 136 136 bool wasLink = isLink(); 137 setIsLink(!href().isNull()); 138 137 setIsLink(!href().isNull() && !shouldProhibitLinks(this)); 139 138 if (wasLink != isLink()) 140 139 setNeedsStyleRecalc(); -
trunk/Source/WebCore/svg/graphics/SVGImage.cpp
r152020 r153876 31 31 #include "SVGImage.h" 32 32 33 #include "Chrome.h" 33 34 #include "DocumentLoader.h" 34 35 #include "FrameView.h" … … 36 37 #include "ImageObserver.h" 37 38 #include "IntRect.h" 39 #include "NodeTraversal.h" 38 40 #include "RenderSVGRoot.h" 39 41 #include "RenderStyle.h" … … 60 62 // Verify that page teardown destroyed the Chrome 61 63 ASSERT(!m_chromeClient || !m_chromeClient->image()); 64 } 65 66 bool SVGImage::hasSingleSecurityOrigin() const 67 { 68 if (!m_page) 69 return true; 70 71 Frame* frame = m_page->mainFrame(); 72 SVGSVGElement* rootElement = toSVGDocument(frame->document())->rootElement(); 73 if (!rootElement) 74 return true; 75 76 // Don't allow foreignObject elements since they can leak information with arbitrary HTML (like spellcheck or control theme). 77 for (Element* current = ElementTraversal::firstWithin(rootElement); current; current = ElementTraversal::next(current, rootElement)) { 78 if (current->hasTagName(SVGNames::foreignObjectTag)) 79 return false; 80 } 81 82 // Because SVG image rendering disallows external resources and links, 83 // these images effectively are restricted to a single security origin. 84 return true; 62 85 } 63 86 … … 372 395 } 373 396 397 bool isInSVGImage(const Element* element) 398 { 399 ASSERT(element); 400 401 Page* page = element->document()->page(); 402 if (!page) 403 return false; 404 405 ChromeClient* chromeClient = page->chrome().client(); 406 return chromeClient && chromeClient->isSVGImageChromeClient(); 407 } 408 374 409 } 375 410 -
trunk/Source/WebCore/svg/graphics/SVGImage.h
r149193 r153876 34 34 namespace WebCore { 35 35 36 class Element; 36 37 class FrameView; 37 38 class ImageBuffer; … … 53 54 virtual bool isSVGImage() const { return true; } 54 55 virtual IntSize size() const OVERRIDE { return m_intrinsicSize; } 56 57 virtual bool hasSingleSecurityOrigin() const OVERRIDE; 55 58 56 59 virtual bool hasRelativeWidth() const; … … 98 101 IntSize m_intrinsicSize; 99 102 }; 103 104 bool isInSVGImage(const Element*); 105 100 106 } 101 107
Note: See TracChangeset
for help on using the changeset viewer.