Bug 1509335 [wpt PR 14183] - WPT: service worker: canvas tainting with two images from the same URL, a=testonly

Automatic update from web-platform-testsWPT: service worker: canvas tainting with two images from the same URL

This adds a test that does the following:
- Writes to a canvas with a cors same-origin image
- Writes to a canvas with a cors cross-origin image from the same URL
- Tests that the canvas is tainted after the second step.

Bug: 907047
Change-Id: Ie231b442eb9b55c642b3957c065555e6f4997a83
Reviewed-on: https://chromium-review.googlesource.com/c/1347952
Commit-Queue: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Makoto Shimazu <shimazu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#610356}

--

wpt-commits: d65f24c346dff3b5dce2983b413805b97c223417
wpt-pr: 14183

testing/web-platform/tests/service-workers/service-worker/fetch-canvas-tainting-double-write.https.html

@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/test-helpers.sub.js"></script>
+<meta charset="utf-8">
+<title>canvas tainting when written twice</title>
+<script>
+function loadImage(doc, url) {
+  return new Promise((resolve, reject) => {
+    const image = doc.createElement('img');
+    image.onload = () => { resolve(image); }
+    image.onerror = () => { reject('failed to load: ' + url); };
+    image.src = url;
+  });
+}
+
+// Tests that a canvas is tainted after it's written to with both a clear image
+// and opaque image from the same URL. A bad implementation might cache the
+// info of the clear image and assume the opaque image is also clear because
+// it's from the same URL. See https://crbug.com/907047 for details.
+promise_test(async (t) => {
+  // Set up a service worker and a controlled iframe.
+  const script = 'resources/fetch-canvas-tainting-double-write-worker.js';
+  const scope = 'resources/fetch-canvas-tainting-double-write-iframe.html';
+  const registration = await service_worker_unregister_and_register(
+      t, script, scope);
+  t.add_cleanup(() => registration.unregister());
+  await wait_for_state(t, registration.installing, 'activated');
+  const iframe = await with_iframe(scope);
+  t.add_cleanup(() => iframe.remove());
+
+  // Load the same cross-origin image URL through the controlled iframe and
+  // this uncontrolled frame. The service worker responds with a same-origin
+  // image for the controlled iframe, so it is cleartext.
+  const imagePath = base_path() + 'resources/fetch-access-control.py?PNGIMAGE';
+  const imageUrl = get_host_info()['HTTPS_REMOTE_ORIGIN'] + imagePath;
+  const clearImage = await loadImage(iframe.contentDocument, imageUrl);
+  const opaqueImage = await loadImage(document, imageUrl);
+
+  // Set up a canvas for testing tainting.
+  const canvas = document.createElement('canvas');
+  const context = canvas.getContext('2d');
+  canvas.width = clearImage.width;
+  canvas.height = clearImage.height;
+
+  // The clear image and the opaque image have the same src URL. But...
+
+  // ... the clear image doesn't taint the canvas.
+  context.drawImage(clearImage, 0, 0);
+  assert_true(canvas.toDataURL().length > 0);
+
+  // ... the opaque image taints the canvas.
+  context.drawImage(opaqueImage, 0, 0);
+  assert_throws('SecurityError', () => { canvas.toDataURL(); });
+}, 'canvas is tainted after writing both a non-opaque image and an opaque image from the same URL');
+</script>

testing/web-platform/tests/service-workers/service-worker/resources/fetch-canvas-tainting-double-write-worker.js

@@ -0,0 +1,7 @@
+self.addEventListener('fetch', (event) => {
+  url = new URL(event.request.url);
+  if (url.search == '?PNGIMAGE') {
+    localUrl = new URL(url.pathname + url.search, self.location);
+    event.respondWith(fetch(localUrl));
+  }
+});