Similar to bug 242889, that cause the same end result but for a slightly different reason. Canvas' security should not take into account Single Origin (for videos and images) Per canvas' spec: https://html.spec.whatwg.org/multipage/canvas.html#the-image-argument-is-not-origin-clean an object image is not origin-clean if: HTMLOrSVGImageElement image's current request's image data is CORS-cross-origin. HTMLVideoElement image's media data is CORS-cross-origin. HTMLCanvasElement ImageBitmap image's bitmap's origin-clean flag is false. The definition for CORS-cross-origin is: https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-cross-origin "A response whose type is "opaque" or "opaqueredirect" is CORS-cross-origin." However, the `bool CanvasRenderingContext::wouldTaintOrigin(const HTMLVideoElement* video)` method to perform this check does: ``` if (!video->didPassCORSAccessCheck() && video->wouldTaintOrigin(*m_canvas.securityOrigin())) return true; ``` When a video is decoded via AVFoundation; the method wouldTaintOrigin does the following in WebCoreNSURLSession: ``` - (BOOL)wouldTaintOrigin:(const WebCore::SecurityOrigin &)origin { for (auto& responseOrigin : _origins) { if (!origin.isSameOriginDomain(*responseOrigin)) return true; } return false; } ``` so it only checks that the origin is the same across all responses. This isn't per spec, the origin should be ignored and instead we should rely on the CORS cross-origin data.
<rdar://problem/102754474>
Pull request: https://github.com/WebKit/WebKit/pull/8603
Committed 259108@main (ec3e1edcb9e5): <https://commits.webkit.org/259108@main> Reviewed commits have been landed. Closing PR #8603 and removing active labels.