Chromium Code Reviews Chromium Code Reviews
Issue 2323933004:
Disallow users modify canvas after it transfers control to offscreen (Closed)
| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2004, 2006, 2007 Apple Inc. All rights reserved. | 2 * Copyright (C) 2004, 2006, 2007 Apple Inc. All rights reserved. |
| 3 * Copyright (C) 2007 Alp Toker <alp@atoker.com> | 3 * Copyright (C) 2007 Alp Toker <alp@atoker.com> |
| 4 * Copyright (C) 2010 Torch Mobile (Beijing) Co. Ltd. All rights reserved. | 4 * Copyright (C) 2010 Torch Mobile (Beijing) Co. Ltd. All rights reserved. |
| 5 * | 5 * |
| 6 * Redistribution and use in source and binary forms, with or without | 6 * Redistribution and use in source and binary forms, with or without |
| 7 * modification, are permitted provided that the following conditions | 7 * modification, are permitted provided that the following conditions |
| 8 * are met: | 8 * are met: |
| 9 * 1. Redistributions of source code must retain the above copyright | 9 * 1. Redistributions of source code must retain the above copyright |
| 10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
| (...skipping 156 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 167 return new LayoutHTMLCanvas(this); | 167 return new LayoutHTMLCanvas(this); |
| 168 return HTMLElement::createLayoutObject(style); | 168 return HTMLElement::createLayoutObject(style); |
| 169 } | 169 } |
| 170 | 170 |
| 171 Node::InsertionNotificationRequest HTMLCanvasElement::insertedInto(ContainerNode * node) | 171 Node::InsertionNotificationRequest HTMLCanvasElement::insertedInto(ContainerNode * node) |
| 172 { | 172 { |
| 173 setIsInCanvasSubtree(true); | 173 setIsInCanvasSubtree(true); |
| 174 return HTMLElement::insertedInto(node); | 174 return HTMLElement::insertedInto(node); |
| 175 } | 175 } |
| 176 | 176 |
| 177 void HTMLCanvasElement::setHeight(int value) | 177 void HTMLCanvasElement::setHeight(int value, ExceptionState& exceptionState) |
| 178 { | 178 { |
| 179 if (surfaceLayerBridge()) { | |
| 180 // The existence of surfaceLayerBridge indicates that | |
| 181 // canvas.transferControlToOffscreen has been called. | |
| 182 exceptionState.throwDOMException(InvalidStateError, "Resizing is not all owed for a canvas that has transferred its control to offscreen."); | |
| 183 return; | |
| 184 } | |
| 179 setIntegralAttribute(heightAttr, value); | 185 setIntegralAttribute(heightAttr, value); |
| 180 } | 186 } |
| 181 | 187 |
| 182 void HTMLCanvasElement::setWidth(int value) | 188 void HTMLCanvasElement::setWidth(int value, ExceptionState& exceptionState) |
| 183 { | 189 { |
| 190 if (surfaceLayerBridge()) { | |
| 191 // Same comment as above. | |
| 192 exceptionState.throwDOMException(InvalidStateError, "Resizing is not all owed for a canvas that has transferred its control to offscreen."); | |
| 193 return; | |
| 194 } | |
| 184 setIntegralAttribute(widthAttr, value); | 195 setIntegralAttribute(widthAttr, value); |
| 185 } | 196 } |
| 186 | 197 |
| 198 void HTMLCanvasElement::setSize(const IntSize& newSize) | |
| 199 { | |
| 200 if (newSize == size()) | |
| 201 return; | |
| 202 m_ignoreReset = true; | |
| 203 setIntegralAttribute(widthAttr, newSize.width()); | |
| 204 setIntegralAttribute(heightAttr, newSize.height()); | |
| 205 m_ignoreReset = false; | |
| 206 reset(); | |
| 207 } | |
| 208 | |
| 187 HTMLCanvasElement::ContextFactoryVector& HTMLCanvasElement::renderingContextFact ories() | 209 HTMLCanvasElement::ContextFactoryVector& HTMLCanvasElement::renderingContextFact ories() |
| 188 { | 210 { |
| 189 DCHECK(isMainThread()); | 211 DCHECK(isMainThread()); |
| 190 DEFINE_STATIC_LOCAL(ContextFactoryVector, s_contextFactories, (CanvasRenderi ngContext::ContextTypeCount)); | 212 DEFINE_STATIC_LOCAL(ContextFactoryVector, s_contextFactories, (CanvasRenderi ngContext::ContextTypeCount)); |
| 191 return s_contextFactories; | 213 return s_contextFactories; |
| 192 } | 214 } |
| 193 | 215 |
| 194 CanvasRenderingContextFactory* HTMLCanvasElement::getRenderingContextFactory(int type) | 216 CanvasRenderingContextFactory* HTMLCanvasElement::getRenderingContextFactory(int type) |
| 195 { | 217 { |
| 196 DCHECK(type < CanvasRenderingContext::ContextTypeCount); | 218 DCHECK(type < CanvasRenderingContext::ContextTypeCount); |
| (...skipping 436 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 633 | 655 |
| 634 String encodingMimeType = toEncodingMimeType(mimeType, EncodeReasonToDataURL ); | 656 String encodingMimeType = toEncodingMimeType(mimeType, EncodeReasonToDataURL ); |
| 635 | 657 |
| 636 ImageData* imageData = toImageData(sourceBuffer, SnapshotReasonToDataURL); | 658 ImageData* imageData = toImageData(sourceBuffer, SnapshotReasonToDataURL); |
| 637 | 659 |
| 638 return ImageDataBuffer(imageData->size(), imageData->data()->data()).toDataU RL(encodingMimeType, quality); | 660 return ImageDataBuffer(imageData->size(), imageData->data()->data()).toDataU RL(encodingMimeType, quality); |
| 639 } | 661 } |
| 640 | 662 |
| 641 String HTMLCanvasElement::toDataURL(const String& mimeType, const ScriptValue& q ualityArgument, ExceptionState& exceptionState) const | 663 String HTMLCanvasElement::toDataURL(const String& mimeType, const ScriptValue& q ualityArgument, ExceptionState& exceptionState) const |
| 642 { | 664 { |
| 665 if (surfaceLayerBridge()) { | |
| 666 exceptionState.throwDOMException(InvalidStateError, "canvas.toDataURL is not allowed for a canvas that has transferred its control to offscreen."); | |
|
Justin Novosad
2016/09/13 15:00:11
No idea if this is what is causing the leak, but y
| |
| 667 } | |
| 643 if (!originClean()) { | 668 if (!originClean()) { |
| 644 exceptionState.throwSecurityError("Tainted canvases may not be exported. "); | 669 exceptionState.throwSecurityError("Tainted canvases may not be exported. "); |
| 645 return String(); | 670 return String(); |
| 646 } | 671 } |
| 647 Optional<ScopedUsHistogramTimer> timer; | 672 Optional<ScopedUsHistogramTimer> timer; |
| 648 String lowercaseMimeType = mimeType.lower(); | 673 String lowercaseMimeType = mimeType.lower(); |
| 649 if (mimeType.isNull()) | 674 if (mimeType.isNull()) |
| 650 lowercaseMimeType = DefaultMimeType; | 675 lowercaseMimeType = DefaultMimeType; |
| 651 if (lowercaseMimeType == "image/png") { | 676 if (lowercaseMimeType == "image/png") { |
| 652 DEFINE_THREAD_SAFE_STATIC_LOCAL(CustomCountHistogram, scopedUsCounterPNG , new CustomCountHistogram("Blink.Canvas.ToDataURL.PNG", 0, 10000000, 50)); | 677 DEFINE_THREAD_SAFE_STATIC_LOCAL(CustomCountHistogram, scopedUsCounterPNG , new CustomCountHistogram("Blink.Canvas.ToDataURL.PNG", 0, 10000000, 50)); |
| (...skipping 26 matching lines...) Expand all Loading... | |
| 679 v8::Local<v8::Value> v8Value = qualityArgument.v8Value(); | 704 v8::Local<v8::Value> v8Value = qualityArgument.v8Value(); |
| 680 if (v8Value->IsNumber()) { | 705 if (v8Value->IsNumber()) { |
| 681 quality = v8Value.As<v8::Number>()->Value(); | 706 quality = v8Value.As<v8::Number>()->Value(); |
| 682 } | 707 } |
| 683 } | 708 } |
| 684 return toDataURLInternal(mimeType, quality, BackBuffer); | 709 return toDataURLInternal(mimeType, quality, BackBuffer); |
| 685 } | 710 } |
| 686 | 711 |
| 687 void HTMLCanvasElement::toBlob(BlobCallback* callback, const String& mimeType, c onst ScriptValue& qualityArgument, ExceptionState& exceptionState) | 712 void HTMLCanvasElement::toBlob(BlobCallback* callback, const String& mimeType, c onst ScriptValue& qualityArgument, ExceptionState& exceptionState) |
| 688 { | 713 { |
| 714 if (surfaceLayerBridge()) { | |
| 715 exceptionState.throwDOMException(InvalidStateError, "canvas.toBlob is no t allowed for a canvas that has transferred its control to offscreen."); | |
|
Justin Novosad
2016/09/13 15:00:11
You need to return here
| |
| 716 } | |
| 717 | |
| 689 if (!originClean()) { | 718 if (!originClean()) { |
| 690 exceptionState.throwSecurityError("Tainted canvases may not be exported. "); | 719 exceptionState.throwSecurityError("Tainted canvases may not be exported. "); |
| 691 return; | 720 return; |
| 692 } | 721 } |
| 693 | 722 |
| 694 if (!isPaintable()) { | 723 if (!isPaintable()) { |
| 695 // If the canvas element's bitmap has no pixels | 724 // If the canvas element's bitmap has no pixels |
| 696 TaskRunnerHelper::get(TaskType::CanvasBlobSerialization, &document())->p ostTask(BLINK_FROM_HERE, WTF::bind(&BlobCallback::handleEvent, wrapPersistent(ca llback), nullptr)); | 725 TaskRunnerHelper::get(TaskType::CanvasBlobSerialization, &document())->p ostTask(BLINK_FROM_HERE, WTF::bind(&BlobCallback::handleEvent, wrapPersistent(ca llback), nullptr)); |
| 697 return; | 726 return; |
| 698 } | 727 } |
| (...skipping 314 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1013 DCHECK(m_context); | 1042 DCHECK(m_context); |
| 1014 DCHECK(m_context->getContextType() != CanvasRenderingContext::ContextImageBi tmap); | 1043 DCHECK(m_context->getContextType() != CanvasRenderingContext::ContextImageBi tmap); |
| 1015 if (!hasImageBuffer() && !m_didFailToCreateImageBuffer) | 1044 if (!hasImageBuffer() && !m_didFailToCreateImageBuffer) |
| 1016 const_cast<HTMLCanvasElement*>(this)->createImageBuffer(); | 1045 const_cast<HTMLCanvasElement*>(this)->createImageBuffer(); |
| 1017 return m_imageBuffer.get(); | 1046 return m_imageBuffer.get(); |
| 1018 } | 1047 } |
| 1019 | 1048 |
| 1020 void HTMLCanvasElement::createImageBufferUsingSurfaceForTesting(std::unique_ptr< ImageBufferSurface> surface) | 1049 void HTMLCanvasElement::createImageBufferUsingSurfaceForTesting(std::unique_ptr< ImageBufferSurface> surface) |
| 1021 { | 1050 { |
| 1022 discardImageBuffer(); | 1051 discardImageBuffer(); |
| 1023 setWidth(surface->size().width()); | 1052 setIntegralAttribute(widthAttr, surface->size().width()); |
| 1024 setHeight(surface->size().height()); | 1053 setIntegralAttribute(heightAttr, surface->size().height()); |
| 1025 createImageBufferInternal(std::move(surface)); | 1054 createImageBufferInternal(std::move(surface)); |
| 1026 } | 1055 } |
| 1027 | 1056 |
| 1028 void HTMLCanvasElement::ensureUnacceleratedImageBuffer() | 1057 void HTMLCanvasElement::ensureUnacceleratedImageBuffer() |
| 1029 { | 1058 { |
| 1030 DCHECK(m_context); | 1059 DCHECK(m_context); |
| 1031 if ((hasImageBuffer() && !m_imageBuffer->isAccelerated()) || m_didFailToCrea teImageBuffer) | 1060 if ((hasImageBuffer() && !m_imageBuffer->isAccelerated()) || m_didFailToCrea teImageBuffer) |
| 1032 return; | 1061 return; |
| 1033 discardImageBuffer(); | 1062 discardImageBuffer(); |
| 1034 OpacityMode opacityMode = m_context->creationAttributes().alpha() ? NonOpaqu e : Opaque; | 1063 OpacityMode opacityMode = m_context->creationAttributes().alpha() ? NonOpaqu e : Opaque; |
| (...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1252 | 1281 |
| 1253 bool HTMLCanvasElement::createSurfaceLayer() | 1282 bool HTMLCanvasElement::createSurfaceLayer() |
| 1254 { | 1283 { |
| 1255 DCHECK(!m_surfaceLayerBridge); | 1284 DCHECK(!m_surfaceLayerBridge); |
| 1256 std::unique_ptr<CanvasSurfaceLayerBridgeClient> bridgeClient = wrapUnique(ne w CanvasSurfaceLayerBridgeClientImpl()); | 1285 std::unique_ptr<CanvasSurfaceLayerBridgeClient> bridgeClient = wrapUnique(ne w CanvasSurfaceLayerBridgeClientImpl()); |
| 1257 m_surfaceLayerBridge = wrapUnique(new CanvasSurfaceLayerBridge(std::move(bri dgeClient))); | 1286 m_surfaceLayerBridge = wrapUnique(new CanvasSurfaceLayerBridge(std::move(bri dgeClient))); |
| 1258 return m_surfaceLayerBridge->createSurfaceLayer(this->width(), this->height( )); | 1287 return m_surfaceLayerBridge->createSurfaceLayer(this->width(), this->height( )); |
| 1259 } | 1288 } |
| 1260 | 1289 |
| 1261 } // namespace blink | 1290 } // namespace blink |
| OLD | NEW |
