Description was changed from ========== Make OffscreenCanvas WebGL(2) context consider taintedness of image source BUG=696222 ...
3 years, 8 months ago
(2017-04-07 21:46:11 UTC)
#1
Description was changed from
==========
Make OffscreenCanvas WebGL(2) context consider taintedness of image source
BUG=696222
==========
to
==========
Make OffscreenCanvas WebGL(2) context consider taintedness of image source
BUG=696222
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
==========
junov@: pls take a look at the security layout test and some general change in ...
3 years, 8 months ago
(2017-04-10 19:03:14 UTC)
#3
junov@: pls take a look at the security layout test and some general change in
CanvasRenderingContext.
kbr@: pls take a look at the webgl change.
Thanks!
Justin Novosad
lgtm with comments. Should we upstream the test to webgl conformance tests? https://codereview.chromium.org/2806803003/diff/80001/third_party/WebKit/Source/core/html/canvas/CanvasRenderingContext.cpp File third_party/WebKit/Source/core/html/canvas/CanvasRenderingContext.cpp ...
3 years, 8 months ago
(2017-04-12 14:53:41 UTC)
#4
On 2017/04/12 14:53:41, Justin Novosad wrote: > Should we upstream the test to webgl conformance ...
3 years, 8 months ago
(2017-04-12 19:37:29 UTC)
#5
On 2017/04/12 14:53:41, Justin Novosad wrote:
> Should we upstream the test to webgl conformance tests?
>
I'm not quite sure whether it's fine to upload a cross-origin security test
instead of a functionality test to webgl conformance test suite. kbr@: WDYT?
https://codereview.chromium.org/2806803003/diff/80001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/html/canvas/CanvasRenderingContext.cpp
(right):
https://codereview.chromium.org/2806803003/diff/80001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/html/canvas/CanvasRenderingContext.cpp:235:
image_source->WouldTaintOrigin(destination_security_origin);
On 2017/04/12 14:53:40, Justin Novosad wrote:
> Just checking: I assume OCRC2D was already calling this correctly and with a
> non-null destination_security_origin, and we already have tests for that?
Yes, OCRC2D is already doing this correct. It calls WouldTaintOrigin in two
functions and each has its own security test:
drawImage:
LayoutTests/http/tests/security/offscreencanvas-read-blocked-no-crossorigin.html
createPattern:
LayoutTests/http/tests/security/cross-origin-OffscreenCanvas2D-createPattern.html
Ken Russell (switch to Gerrit)
On 2017/04/12 19:37:29, xlai (Olivia) wrote: > On 2017/04/12 14:53:41, Justin Novosad wrote: > > ...
3 years, 8 months ago
(2017-04-12 23:31:14 UTC)
#6
On 2017/04/12 19:37:29, xlai (Olivia) wrote:
> On 2017/04/12 14:53:41, Justin Novosad wrote:
> > Should we upstream the test to webgl conformance tests?
> >
>
> I'm not quite sure whether it's fine to upload a cross-origin security test
> instead of a functionality test to webgl conformance test suite. kbr@: WDYT?
Yes, please do add tests to the WebGL conformance suite. There are already some
tests for properly rejecting cross-origin HTMLImageElements, and tainted
HTMLCanvasElements. Please see these tests:
sdk/tests/conformance/textures/misc/origin-clean-conformance.html
sdk/tests/conformance/more/functions/readPixelsBadArgs.html
sdk/tests/conformance/more/functions/texImage2DHTML.html
sdk/tests/conformance/more/functions/texSubImage2DHTML.html
If you have any questions about the structure of the tests please tell me. One
possibly confusing note is that "SOP" in some of these tests stands for
"Standard Operating Procedure".
LGTM
xlai (Olivia)
The CQ bit was checked by xlai@chromium.org to run a CQ dry run
3 years, 8 months ago
(2017-04-13 14:17:04 UTC)
#7
On 2017/04/12 23:31:14, Ken Russell wrote: > On 2017/04/12 19:37:29, xlai (Olivia) wrote: > > ...
3 years, 8 months ago
(2017-04-19 20:35:30 UTC)
#15
Message was sent while issue was closed.
On 2017/04/12 23:31:14, Ken Russell wrote:
> On 2017/04/12 19:37:29, xlai (Olivia) wrote:
> > On 2017/04/12 14:53:41, Justin Novosad wrote:
> > > Should we upstream the test to webgl conformance tests?
> > >
> >
> > I'm not quite sure whether it's fine to upload a cross-origin security test
> > instead of a functionality test to webgl conformance test suite. kbr@: WDYT?
>
> Yes, please do add tests to the WebGL conformance suite. There are already
some
> tests for properly rejecting cross-origin HTMLImageElements, and tainted
> HTMLCanvasElements. Please see these tests:
>
> sdk/tests/conformance/textures/misc/origin-clean-conformance.html
> sdk/tests/conformance/more/functions/readPixelsBadArgs.html
> sdk/tests/conformance/more/functions/texImage2DHTML.html
> sdk/tests/conformance/more/functions/texSubImage2DHTML.html
>
> If you have any questions about the structure of the tests please tell me. One
> possibly confusing note is that "SOP" in some of these tests stands for
> "Standard Operating Procedure".
>
> LGTM
As a follow-up of this CL, I've created a GitHub pull request
https://github.com/KhronosGroup/WebGL/pull/2376
to add security tests.
Issue 2806803003: Make OffscreenCanvas WebGL(2) context consider taintedness of image source
(Closed)
Created 3 years, 8 months ago by xlai (Olivia)
Modified 3 years, 8 months ago
Reviewers: Justin Novosad, Ken Russell (switch to Gerrit)
Base URL:
Comments: 2