Allow SVG images to not taint the canvas with drawImage/drawPattern

Source/core/svg/graphics/SVGImage.cpp

Index: Source/core/svg/graphics/SVGImage.cpp
diff --git a/Source/core/svg/graphics/SVGImage.cpp b/Source/core/svg/graphics/SVGImage.cpp
index bbcfe3c44c2ce39b21e62a1fec4518c558e323b6..2c24155e259107ecb07f9114c18a2f47cb3e7dda 100644
--- a/Source/core/svg/graphics/SVGImage.cpp
+++ b/Source/core/svg/graphics/SVGImage.cpp
@@ -29,7 +29,9 @@
 
 #include "core/svg/graphics/SVGImage.h"
 
+#include "core/dom/NodeTraversal.h"
 #include "core/loader/DocumentLoader.h"
+#include "core/page/Chrome.h"
 #include "core/page/FrameView.h"
 #include "core/page/Settings.h"
 #include "core/platform/graphics/GraphicsContextStateSaver.h"
@@ -39,6 +41,7 @@
 #include "core/rendering/style/RenderStyle.h"
 #include "core/rendering/svg/RenderSVGRoot.h"
 #include "core/svg/SVGDocument.h"
+#include "core/svg/SVGImageElement.h"
 #include "core/svg/SVGSVGElement.h"
 #include "core/svg/graphics/SVGImageChromeClient.h"
 #include "wtf/PassRefPtr.h"
@@ -62,6 +65,47 @@ SVGImage::~SVGImage()
     ASSERT(!m_chromeClient || !m_chromeClient->image());
 }
 
+bool SVGImage::isInSVGImage(const Element* element)
+{
+    ASSERT(element);
+
+    Page* page = element->document()->page();
+    if (!page)
+        return false;
+
+    ChromeClient* chromeClient = page->chrome().client();
+    return chromeClient && chromeClient->isSVGImageChromeClient();
+}
+
+bool SVGImage::hasSingleSecurityOrigin() const
+{
+    if (!m_page)
+        return true;
+
+    Frame* frame = m_page->mainFrame();
+    SVGSVGElement* rootElement = toSVGDocument(frame->document())->rootElement();
+    if (!rootElement)
+        return true;
+
+    // Don't allow foreignObject elements or images that are not known to be
+    // single-origin since these can leak cross-origin information.
+    for (Element* element = ElementTraversal::firstWithin(rootElement); element; element = ElementTraversal::next(element, rootElement)) {

[abarth-chromium, 2013/08/12 19:47:44]

Does this traverse shadow DOM?

[pdr., 2013/08/19 23:16:17]

Fortunately, custom elements cannot be created declaratively so I think we're
good here.

+        if (element->hasTagName(SVGNames::foreignObjectTag))
+            return false;
+        // FIXME(crbug.com/249037): Images should be allowed but the
+        // implementation is difficult because images can have animations which
+        // cause them to dynamically change their single-origin state.
+        if (element->hasTagName(SVGNames::imageTag))
+            return false;
+        if (element->hasTagName(SVGNames::feImageTag))

[Tom Sepez, 2013/08/15 17:53:59]

I worry about folks introducing a new element type and not updating this
blacklist. Is there a way to make this determination via virtual method of an
element with only the safe SVG ones overriding it with "true" (whitelist
approach)?

[pdr., 2013/08/19 23:16:17]

I think this will actually end up being prohibitively expensive to do :/

+            return false;
+    }
+
+    // Because SVG image rendering disallows external resources and links, these
+    // images effectively are restricted to a single security origin.
+    return true;
+}
+
 void SVGImage::setContainerSize(const IntSize& size)
 {
     if (!m_page || !usesContainerSize())