Fix tainting behavior of SVG in createImageBitmap [chromium/src : main]

0 views

Skip to first unread message

Stephen Chenney (Gerrit)

unread,

Mar 18, 2026, 10:23:14 PM (3 days ago) Mar 18

to Philip Rogers, AyeAye, chromium...@chromium.org, Nate Chapin, blink-revie...@chromium.org, blink-...@chromium.org, gavinp...@chromium.org, loading...@chromium.org

Attention needed from Philip Rogers

Stephen Chenney voted and added 1 comment

Votes added by Stephen Chenney

Commit-Queue

1 comment

Patchset-level comments

File-level comment, Patchset 2 (Latest):

Stephen Chenney . resolved

Quick turnaround, for once.

Open in Gerrit

Related details

Attention is currently required from:

Philip Rogers

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Philip Rogers (Gerrit)

unread,

Mar 21, 2026, 5:23:12 PM (9 hours ago) Mar 21

to Stephen Chenney, Chromium LUCI CQ, AyeAye, chromium...@chromium.org, Nate Chapin, blink-revie...@chromium.org, blink-...@chromium.org, gavinp...@chromium.org, loading...@chromium.org

Attention needed from Stephen Chenney

Philip Rogers added 3 comments

Patchset-level comments

File-level comment, Patchset 2 (Latest):

Philip Rogers . unresolved

Can you do this for blobs too? If we allow data url, we should allow blobs too. Can copy the tests from https://crrev.com/c/5876705.

Just FYI, I am landing metrics for the prevalence of this pattern in https://crrev.com/c/7687863.

Can you send a new blink-dev intent for this, or ressurect the old one? I think it's the right change.

File third_party/blink/renderer/core/loader/resource/image_resource_content.cc

Line 653, Patchset 2 (Latest): if (image->IsSVGImage() && IsDataUrl()) {

Philip Rogers . unresolved

I think this works, but why do we have SVGImage::HasSingleSecurityOrigin at all? [This comment](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/graphics/image.h;drc=956f8d90f2e6a2a5e654adb872ec956bfbeadb51;l=126) just seems wrong. Can we just take all of this out?

I read the history of this area, and this was all added for visited links (https://bugs.webkit.org/show_bug.cgi?id=119492). But, we don't support links in svg images (https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/dom/node.cc;drc=956f8d90f2e6a2a5e654adb872ec956bfbeadb51;l=1577) any more, so this shouldn't matter. We could add a CHECK that we are not in an svg image in VisitedLinkState::DetermineLinkStateSlowCase to prove this.

File third_party/blink/web_tests/external/wpt/html/canvas/element/pixel-manipulation/2d.imageData.createImageBitmap.svg.dataURI.html

Line 37, Patchset 2 (Latest): var bitmap = await createImageBitmap(img);

Philip Rogers . unresolved

This test correctly fails without the patch. I don't understand why https://jsfiddle.net/progers/qhawnyeu allows readback of svg with foreign object. Is it because of this createImageBitmap call--do we detect that as tainting, but drawing img directly doesn't taint?

Open in Gerrit

Related details

Attention is currently required from:

Stephen Chenney

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

No-Unresolved-Comments

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Reply all

Reply to author

Forward

0 new messages