Bug 248462

Similar to bug 242889, that cause the same end result but for a slightly different reason.


Canvas' security should not take into account Single Origin (for videos and images)

Per canvas' spec:
https://html.spec.whatwg.org/multipage/canvas.html#the-image-argument-is-not-origin-clean

an object image is not origin-clean if:
HTMLOrSVGImageElement
    image's current request's image data is CORS-cross-origin.
HTMLVideoElement
    image's media data is CORS-cross-origin.
HTMLCanvasElement
ImageBitmap
    image's bitmap's origin-clean flag is false.

The definition for CORS-cross-origin is:
https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-cross-origin
"A response whose type is "opaque" or "opaqueredirect" is CORS-cross-origin."

However, the `bool CanvasRenderingContext::wouldTaintOrigin(const HTMLVideoElement* video)` method to perform this check does:
```
    if (!video->didPassCORSAccessCheck() && video->wouldTaintOrigin(*m_canvas.securityOrigin()))
        return true;
```

When a video is decoded via AVFoundation; the method wouldTaintOrigin does the following in WebCoreNSURLSession:
```
- (BOOL)wouldTaintOrigin:(const WebCore::SecurityOrigin &)origin
{
    for (auto& responseOrigin : _origins) {
        if (!origin.isSameOriginDomain(*responseOrigin))
            return true;
    }
    return false;
}
```

so it only checks that the origin is the same across all responses.

This isn't per spec, the origin should be ignored and instead we should rely on the CORS cross-origin data.