Attachment #208393 for bug #119492

View Details Raw Unified Return to Bug 119492

| Differences between



2013-08-07  Timothy Hatcher  <timothy@apple.com>

        Allow SVG images to be drawn into canvas without tainting.
        https://bugs.webkit.org/show_bug.cgi?id=119492

        Reviewed by NOBODY (OOPS!).

        Tests: svg/as-image/svg-canvas-not-tainted.html
               svg/as-image/svg-canvas-link-not-colored.html
               svg/as-image/svg-canvas-xhtml-tainted.html

        * html/HTMLAnchorElement.cpp:
        (WebCore::HTMLAnchorElement::parseAttribute): Call shouldProhibitLinks.
        (WebCore::shouldProhibitLinks): Added.
        * html/HTMLAnchorElement.h:
        * html/HTMLImageElement.cpp:
        (WebCore::HTMLImageElement::parseAttribute): Call shouldProhibitLinks.
        * rendering/svg/RenderSVGRoot.cpp:
        (WebCore::RenderSVGRoot::isEmbeddedThroughSVGImage): Use isInSVGImage.
        * svg/SVGAElement.cpp:
        (WebCore::SVGAElement::svgAttributeChanged): Call shouldProhibitLinks.
        * svg/graphics/SVGImage.cpp:
        (WebCore::SVGImage::hasSingleSecurityOrigin): Added.
        (WebCore::isInSVGImage): Added.
        * svg/graphics/SVGImage.h:

2013-08-06  Brent Fulgham  <bfulgham@apple.com>

        Improper Calculation of In-band Cue Colors



#include "PlatformMouseEvent.h"
#include "RenderImage.h"
#include "ResourceRequest.h"
#include "SVGImage.h"
#include "SecurityOrigin.h"
#include "SecurityPolicy.h"
#include "Settings.h"

{
    if (name == hrefAttr) {
        bool wasLink = isLink();
        setIsLink(!value.isNull() && !shouldProhibitLinks(this));
        if (wasLink != isLink())
            didAffectSelector(AffectedSelectorLink | AffectedSelectorVisited | AffectedSelectorEnabled);
        if (isLink()) {

    return event->type() == eventNames().clickEvent && (!event->isMouseEvent() || static_cast<MouseEvent*>(event)->button() != RightButton);
}

bool shouldProhibitLinks(Element* element)
{
#if ENABLE(SVG)
    return isInSVGImage(element);
#else
    return false;
#endif
}

bool HTMLAnchorElement::willRespondToMouseClickEvents()
{
    return isLink() || HTMLElement::willRespondToMouseClickEvents();

Lines 174-179 inline HTMLAnchorElement* toHTMLAnchorElement(Node* node) a/Source/WebCore/html/HTMLAnchorElement.h_sec1
- a/Source/WebCore/html/HTMLAnchorElement.h +1 lines
174		174
175	bool isEnterKeyKeydownEvent(Event*);	175	bool isEnterKeyKeydownEvent(Event*);
176	bool isLinkClick(Event*);	176	bool isLinkClick(Event*);
		177	bool shouldProhibitLinks(Element*);
177		178
178	} // namespace WebCore	179	} // namespace WebCore
179		180



#include "CachedImage.h"
#include "EventNames.h"
#include "FrameView.h"
#include "HTMLAnchorElement.h"
#include "HTMLDocument.h"
#include "HTMLFormElement.h"
#include "HTMLNames.h"

            deviceScaleFactor = page->deviceScaleFactor();
        m_bestFitImageURL = bestFitSourceForImageAttributes(deviceScaleFactor, fastGetAttribute(srcAttr), fastGetAttribute(srcsetAttr));
        m_imageLoader.updateFromElementIgnoringPreviousError();
    } else if (name == usemapAttr)
        setIsLink(!value.isNull() && !shouldProhibitLinks(this));
        setIsLink(!value.isNull());
    else if (name == onbeforeloadAttr)
        setAttributeEventListener(eventNames().beforeloadEvent, createAttributeEventListener(this, name, value));
    else if (name == compositeAttr) {



#include "RenderSVGResource.h"
#include "RenderSVGResourceContainer.h"
#include "RenderView.h"
#include "SVGImage.h"
#include "SVGLength.h"
#include "SVGRenderingContext.h"
#include "SVGResources.h"

{
    if (!node())
        return false;
    return isInSVGImage(toSVGSVGElement(node()));
    Frame* frame = node()->document()->frame();
    if (!frame)
        return false;

    // Test whether we're embedded through an img.
    if (!frame->page())
        return false;

    ChromeClient* chromeClient = frame->page()->chrome().client();
    if (!chromeClient || !chromeClient->isSVGImageChromeClient())
        return false;

    return true;
}

bool RenderSVGRoot::isEmbeddedThroughFrameContainingSVGDocument() const



    // as none of the other properties changes the linking behaviour for our <a> element.
    if (SVGURIReference::isKnownAttribute(attrName)) {
        bool wasLink = isLink();
        setIsLink(!href().isNull() && !shouldProhibitLinks(this));

        if (wasLink != isLink())
            setNeedsStyleRecalc();
    }



#if ENABLE(SVG)
#include "SVGImage.h"

#include "Chrome.h"
#include "DocumentLoader.h"
#include "FrameView.h"
#include "ImageBuffer.h"
#include "ImageObserver.h"
#include "IntRect.h"
#include "NodeTraversal.h"
#include "RenderSVGRoot.h"
#include "RenderStyle.h"
#include "SVGDocument.h"

    ASSERT(!m_chromeClient || !m_chromeClient->image());
}

bool SVGImage::hasSingleSecurityOrigin() const
{
    if (!m_page)
        return true;

    Frame* frame = m_page->mainFrame();
    SVGSVGElement* rootElement = toSVGDocument(frame->document())->rootElement();
    if (!rootElement)
        return true;

    // Don't allow foreignObject elements since they can leak information with arbitrary HTML (like spellcheck or control theme).
    for (Element* current = ElementTraversal::firstWithin(rootElement); current; current = ElementTraversal::next(current, rootElement)) {
        if (current->hasTagName(SVGNames::foreignObjectTag))
            return false;
    }

    // Because SVG image rendering disallows external resources and links,
    // these images effectively are restricted to a single security origin.
    return true;
}

void SVGImage::setContainerSize(const IntSize& size)
{
    if (!m_page || !usesContainerSize())

    return "svg";
}

bool isInSVGImage(const Element* element)
{
    ASSERT(element);

    Page* page = element->document()->page();
    if (!page)
        return false;

    ChromeClient* chromeClient = page->chrome().client();
    return chromeClient && chromeClient->isSVGImageChromeClient();
}

}

#endif // ENABLE(SVG)

Lines 33-38 a/Source/WebCore/svg/graphics/SVGImage.h_sec1
- a/Source/WebCore/svg/graphics/SVGImage.h +6 lines
33		33
34	namespace WebCore {	34	namespace WebCore {
35		35
		36	class Element;
36	class FrameView;	37	class FrameView;
37	class ImageBuffer;	38	class ImageBuffer;
38	class Page;	39	class Page;
Lines 53-58 public: a/Source/WebCore/svg/graphics/SVGImage.h_sec2
53	virtual bool isSVGImage() const { return true; }	54	virtual bool isSVGImage() const { return true; }
54	virtual IntSize size() const OVERRIDE { return m_intrinsicSize; }	55	virtual IntSize size() const OVERRIDE { return m_intrinsicSize; }
55		56
		57	virtual bool hasSingleSecurityOrigin() const OVERRIDE;
		58
56	virtual bool hasRelativeWidth() const;	59	virtual bool hasRelativeWidth() const;
57	virtual bool hasRelativeHeight() const;	60	virtual bool hasRelativeHeight() const;
58		61
Lines 97-102 private: a/Source/WebCore/svg/graphics/SVGImage.h_sec3
97	OwnPtr<Page> m_page;	100	OwnPtr<Page> m_page;
98	IntSize m_intrinsicSize;	101	IntSize m_intrinsicSize;
99	};	102	};
		103
		104	bool isInSVGImage(const Element*);
		105
100	}	106	}
101		107
102	#endif // ENABLE(SVG)	108	#endif // ENABLE(SVG)



2013-08-07  Timothy Hatcher  <timothy@apple.com>

        Allow SVG images to be drawn into canvas without tainting.
        https://bugs.webkit.org/show_bug.cgi?id=119492

        Reviewed by NOBODY (OOPS!).

        * fast/canvas/svg-taint-expected.txt: Removed.
        * fast/canvas/svg-taint.html: Removed. Obsolete.
        * http/tests/security/canvas-remote-read-data-url-svg-image-expected.txt: Removed.
        * http/tests/security/canvas-remote-read-data-url-svg-image.html: Removed. Obsolete.
        * http/tests/security/canvas-remote-read-svg-image-expected.txt: Removed.
        * http/tests/security/canvas-remote-read-svg-image.html: Removed. Obsolete.
        * svg/as-image/resources/link-xhtml-svg.svg: Added.
        * svg/as-image/resources/link-xhtml.svg: Added.
        * svg/as-image/resources/link.svg: Added.
        * svg/as-image/svg-canvas-link-not-colored-expected.txt: Added.
        * svg/as-image/svg-canvas-link-not-colored.html: Added.
        * svg/as-image/svg-canvas-not-tainted-expected.txt: Added.
        * svg/as-image/svg-canvas-not-tainted.html: Added.
        * svg/as-image/svg-canvas-xhtml-tainted-expected.txt: Added.
        * svg/as-image/svg-canvas-xhtml-tainted.html: Added.

2013-08-06  Bem Jones-Bey  <bjonesbe@adobe.com>

        [CSS Shapes] New positioning model: support for shape-margin

Lines 1-7 a/LayoutTests/fast/canvas/svg-taint-expected.txt_sec1
- a/LayoutTests/fast/canvas/svg-taint-expected.txt -7 lines
1	CONSOLE MESSAGE: Unable to get image data from canvas because the canvas has been tainted by cross-origin data.
2	Let's check that rendering an SVG pattern to a canvas taints it!
3	See https://bugs.webkit.org/show_bug.cgi?id=36838
4
5	Starting...
6	Exception: SecurityError
7



<html>
<head>
<script>
if (window.testRunner) {
  testRunner.dumpAsText();
  testRunner.waitUntilDone();
}

function log(message) {
  var console = document.getElementById('log');
  console.appendChild(document.createTextNode(message));
  console.appendChild(document.createElement('br'));
}

function loaded() {
  var canvas = document.getElementById('canvas');
  var ctx = canvas.getContext("2d");
  var img = document.getElementById('img');
  log('Starting...');

  // This should taint the canvas by rendering an SVG on to it via the pattern
  // route.
  var p = ctx.createPattern(img, 'repeat');
  ctx.fillStyle = p;
  ctx.fillRect(0, 0, 100, 100);

  try {
    // This should fail as the canvas should be tainted.
    var data = ctx.getImageData(0, 0, 10, 10);
    log('Oh dear -- missing exception!');
  } catch (e) {
    log('Exception: ' + e.name);
    if (window.testRunner)
      testRunner.notifyDone();
  }
}
</script>
</head>
<body>
Let's check that rendering an SVG pattern to a canvas taints it!
<p>
See https://bugs.webkit.org/show_bug.cgi?id=36838
<div id="log"></div>
<canvas id="canvas" width="100" height="100"></canvas>
<img id="img" onload="loaded()" src="resources/empty.svg"></img>
</body>

Lines 1-5 a/LayoutTests/http/tests/security/canvas-remote-read-data-url-svg-image-expected.txt_sec1
- a/LayoutTests/http/tests/security/canvas-remote-read-data-url-svg-image-expected.txt -5 lines
1	CONSOLE MESSAGE: Unable to get image data from canvas because the canvas has been tainted by cross-origin data.
2	This tests that drawing a remote SVG image onto a canvas from a data URL taints the canvas
3
4	PASS: getImageData failed. Canvas tainted.
5



<html>
<head>
<script>
if (window.testRunner)
    testRunner.dumpAsText();

function log(msg)
{
    document.getElementById('console').appendChild(document.createTextNode(msg + "\n"));
}

function draw()
{
    var canvas = document.getElementById("canvas");
    var ctx = canvas.getContext("2d");
    ctx.drawImage(document.getElementById("img"), 0, 0);

    try {
        var data = ctx.getImageData(20, 20, 290, 75);
        log("FAIL: getImageData succeeded. Canvas not tainted.");
    } catch (e) {
        log("PASS: getImageData failed. Canvas tainted.");
    }
}
</script>
</head>
<body>
    <p>This tests that drawing a remote SVG image onto a canvas from a data URL
    taints the canvas</p>
    <pre id="console"></pre>
    <canvas id="canvas" width="330" height="115"></canvas>
    <img id="img" onload="draw()" src='data:image/svg+xml,
<svg xmlns="http://www.w3.org/2000/svg"
     xmlns:xlink="http://www.w3.org/1999/xlink"
     width="100" height="100">
    <image xlink:href="http://localhost:8000/security/resources/abe.png"
           width="100" height="100"/>
</svg>'>
</body>
</html>

Lines 1-5 a/LayoutTests/http/tests/security/canvas-remote-read-svg-image-expected.txt_sec1
- a/LayoutTests/http/tests/security/canvas-remote-read-svg-image-expected.txt -5 lines
1	CONSOLE MESSAGE: Unable to get image data from canvas because the canvas has been tainted by cross-origin data.
2	This tests that drawing a SVG image to a canvas taints the canvas
3
4	PASS: getImageData failed. Canvas tainted.
5



<html>
<head>
<script>
if (window.testRunner)
    testRunner.dumpAsText();

function log(msg)
{
    document.getElementById('console').appendChild(document.createTextNode(msg + "\n"));
}

function draw()
{
    var canvas = document.getElementById("canvas");
    var ctx = canvas.getContext("2d");
    ctx.drawImage(document.getElementById("img"), 0, 0);

    try {
        var data = ctx.getImageData(20, 20, 290, 75);
        log("FAIL: getImageData succeeded. Canvas not tainted.");
    } catch (e) {
        log("PASS: getImageData failed. Canvas tainted.");
    }
}
</script>
</head>
<body>
    <p>This tests that drawing a SVG image to a canvas taints the canvas</p>
    <pre id="console"></pre>
    <canvas id="canvas" width="330" height="115"></canvas>
    <img id="img" onload="draw()" src="resources/image-wrapper.svg">
</body>
</html>



<?xml version="1.0"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xhtml="http://www.w3.org/1999/xhtml" viewBox="0 0 100 100">
    <foreignObject width="100" height="100">
        <style>a div { background-color: green; width: 100px; height: 100px } a:link div, a:visited div { background-color: red }</style>
        <xhtml:a href="http://www.example.com/"><xhtml:div></xhtml:div></xhtml:a>
    </foreignObject>
</svg>



<?xml version="1.0"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 100 100">
    <style>a rect { fill: green } a:link rect, a:visited rect { fill: red }</style>
    <a xlink:href="http://www.example.com/">
        <rect x="0" y="0" width="100" height="100"/>
    </a>
</svg>

Line 0 a/LayoutTests/svg/as-image/svg-canvas-link-not-colored-expected.txt_sec1
- a/LayoutTests/svg/as-image/svg-canvas-link-not-colored-expected.txt +7 lines
	1	PASS window.colorChannels[0] is 0
	2	PASS window.colorChannels[1] is 0
	3	PASS window.colorChannels[2] is 0
	4	PASS window.colorChannels[0] is 0
	5	PASS window.colorChannels[1] is 128
	6	PASS window.colorChannels[2] is 0
	7



<!DOCTYPE html>
<html>
<head>
    <script src="../../fast/js/resources/js-test-pre.js"></script>
</head>
<body>
    <script>
        if (window.testRunner) {
            testRunner.dumpAsText();
            testRunner.waitUntilDone();
        }

        var svg = new Image();
        svg.src = "resources/link.svg";

        svg.onload = function() {
            var canvas = document.createElement("canvas");
            var ctx = canvas.getContext("2d");

            window.colorChannels = ctx.getImageData(0, 0, 1, 1).data;

            shouldBe("window.colorChannels[0]", "0");
            shouldBe("window.colorChannels[1]", "0");
            shouldBe("window.colorChannels[2]", "0");

            ctx.drawImage(svg, 0, 0);

            window.colorChannels = ctx.getImageData(0, 0, 1, 1).data;

            shouldBe("window.colorChannels[0]", "0");
            shouldBe("window.colorChannels[1]", "128");
            shouldBe("window.colorChannels[2]", "0");

            if (window.testRunner)
                testRunner.notifyDone();
        };
    </script>
</body>
</html>

Line 0 a/LayoutTests/svg/as-image/svg-canvas-not-tainted-expected.txt_sec1
- a/LayoutTests/svg/as-image/svg-canvas-not-tainted-expected.txt +3 lines
	1	This test passes if there is a green box and no security errors.
	2
	3



<!DOCTYPE html>
<html>
<body>
    This test passes if there is a green box and no security errors.<br><br>
    <canvas id="canvas" width="100" height="100"></canvas>
    <script>
        if (window.testRunner) {
            testRunner.dumpAsText();
            testRunner.waitUntilDone();
        }

        var svg = new Image();
        svg.src = "resources/100px-green-rect.svg";

        svg.onload = function() {
            var canvas = document.getElementById("canvas");
            var ctx = canvas.getContext("2d");

            ctx.drawImage(svg, 0, 0);
            ctx.getImageData(0, 0, 100, 100);

            if (window.testRunner)
                testRunner.notifyDone();
        };
    </script>
</body>
</html>

Line 0 a/LayoutTests/svg/as-image/svg-canvas-xhtml-tainted-expected.txt_sec1
- a/LayoutTests/svg/as-image/svg-canvas-xhtml-tainted-expected.txt +3 lines
	1	CONSOLE MESSAGE: Unable to get image data from canvas because the canvas has been tainted by cross-origin data.
	2	PASS window.ctx.getImageData(0, 0, 1, 1) threw exception Error: SecurityError: DOM Exception 18.
	3



<!DOCTYPE html>
<html>
<head>
    <script src="../../fast/js/resources/js-test-pre.js"></script>
</head>
<body>
    <script>
        if (window.testRunner) {
            testRunner.dumpAsText();
            testRunner.waitUntilDone();
        }

        var svg = new Image();
        svg.src = "resources/link-xhtml.svg";

        svg.onload = function() {
            var canvas = document.createElement("canvas");
            window.ctx = canvas.getContext("2d");

            ctx.getImageData(0, 0, 1, 1);

            ctx.drawImage(svg, 0, 0);

            shouldThrow("window.ctx.getImageData(0, 0, 1, 1)");

            if (window.testRunner)
                testRunner.notifyDone();
        };
    </script>
</body>
</html>

Return to Bug 119492

Lines 42-47 a/Source/WebCore/html/HTMLAnchorElement.cpp_sec1
- a/Source/WebCore/html/HTMLAnchorElement.cpp -1 / +11 lines
42	#include "PlatformMouseEvent.h"	42	#include "PlatformMouseEvent.h"
43	#include "RenderImage.h"	43	#include "RenderImage.h"
44	#include "ResourceRequest.h"	44	#include "ResourceRequest.h"
		45	#include "SVGImage.h"
45	#include "SecurityOrigin.h"	46	#include "SecurityOrigin.h"
46	#include "SecurityPolicy.h"	47	#include "SecurityPolicy.h"
47	#include "Settings.h"	48	#include "Settings.h"
Lines 245-251 void HTMLAnchorElement::parseAttribute(const QualifiedName& name, const AtomicSt a/Source/WebCore/html/HTMLAnchorElement.cpp_sec2
245	{	246	{
246	if (name == hrefAttr) {	247	if (name == hrefAttr) {
247	bool wasLink = isLink();	248	bool wasLink = isLink();
248	setIsLink(!value.isNull());	249	setIsLink(!value.isNull() && !shouldProhibitLinks(this));
249	if (wasLink != isLink())	250	if (wasLink != isLink())
250	didAffectSelector(AffectedSelectorLink \| AffectedSelectorVisited \| AffectedSelectorEnabled);	251	didAffectSelector(AffectedSelectorLink \| AffectedSelectorVisited \| AffectedSelectorEnabled);
251	if (isLink()) {	252	if (isLink()) {
Lines 599-604 bool isLinkClick(Event* event) a/Source/WebCore/html/HTMLAnchorElement.cpp_sec3
599	return event->type() == eventNames().clickEvent && (!event->isMouseEvent() \|\| static_cast<MouseEvent*>(event)->button() != RightButton);	600	return event->type() == eventNames().clickEvent && (!event->isMouseEvent() \|\| static_cast<MouseEvent*>(event)->button() != RightButton);
600	}	601	}
601		602
		603	bool shouldProhibitLinks(Element* element)
		604	{
		605	#if ENABLE(SVG)
		606	return isInSVGImage(element);
		607	#else
		608	return false;
		609	#endif
		610	}
		611
602	bool HTMLAnchorElement::willRespondToMouseClickEvents()	612	bool HTMLAnchorElement::willRespondToMouseClickEvents()
603	{	613	{
604	return isLink() \|\| HTMLElement::willRespondToMouseClickEvents();	614	return isLink() \|\| HTMLElement::willRespondToMouseClickEvents();

Lines 38-43 a/Source/WebCore/rendering/svg/RenderSVGRoot.cpp_sec1
- a/Source/WebCore/rendering/svg/RenderSVGRoot.cpp -14 / +2 lines
38	#include "RenderSVGResource.h"	38	#include "RenderSVGResource.h"
39	#include "RenderSVGResourceContainer.h"	39	#include "RenderSVGResourceContainer.h"
40	#include "RenderView.h"	40	#include "RenderView.h"
		41	#include "SVGImage.h"
41	#include "SVGLength.h"	42	#include "SVGLength.h"
42	#include "SVGRenderingContext.h"	43	#include "SVGRenderingContext.h"
43	#include "SVGResources.h"	44	#include "SVGResources.h"
Lines 124-143 bool RenderSVGRoot::isEmbeddedThroughSVGImage() const a/Source/WebCore/rendering/svg/RenderSVGRoot.cpp_sec2
124	{	125	{
125	if (!node())	126	if (!node())
126	return false;	127	return false;
127		128	return isInSVGImage(toSVGSVGElement(node()));
128	Frame* frame = node()->document()->frame();
129	if (!frame)
130	return false;
131
132	// Test whether we're embedded through an img.
133	if (!frame->page())
134	return false;
135
136	ChromeClient* chromeClient = frame->page()->chrome().client();
137	if (!chromeClient \|\| !chromeClient->isSVGImageChromeClient())
138	return false;
139
140	return true;
141	}	129	}
142		130
143	bool RenderSVGRoot::isEmbeddedThroughFrameContainingSVGDocument() const	131	bool RenderSVGRoot::isEmbeddedThroughFrameContainingSVGDocument() const

Lines 134-141 void SVGAElement::svgAttributeChanged(const QualifiedName& attrName) a/Source/WebCore/svg/SVGAElement.cpp_sec1
- a/Source/WebCore/svg/SVGAElement.cpp -2 / +1 lines
134	// as none of the other properties changes the linking behaviour for our <a> element.	134	// as none of the other properties changes the linking behaviour for our <a> element.
135	if (SVGURIReference::isKnownAttribute(attrName)) {	135	if (SVGURIReference::isKnownAttribute(attrName)) {
136	bool wasLink = isLink();	136	bool wasLink = isLink();
137	setIsLink(!href().isNull());	137	setIsLink(!href().isNull() && !shouldProhibitLinks(this));
138
139	if (wasLink != isLink())	138	if (wasLink != isLink())
140	setNeedsStyleRecalc();	139	setNeedsStyleRecalc();
141	}	140	}

Lines 1-3 a/Source/WebCore/ChangeLog_sec1
- a/Source/WebCore/ChangeLog +26 lines
		1	2013-08-07 Timothy Hatcher <timothy@apple.com>
		2
		3	Allow SVG images to be drawn into canvas without tainting.
		4	https://bugs.webkit.org/show_bug.cgi?id=119492
		5
		6	Reviewed by NOBODY (OOPS!).
		7
		8	Tests: svg/as-image/svg-canvas-not-tainted.html
		9	svg/as-image/svg-canvas-link-not-colored.html
		10	svg/as-image/svg-canvas-xhtml-tainted.html
		11
		12	* html/HTMLAnchorElement.cpp:
		13	(WebCore::HTMLAnchorElement::parseAttribute): Call shouldProhibitLinks.
		14	(WebCore::shouldProhibitLinks): Added.
		15	* html/HTMLAnchorElement.h:
		16	* html/HTMLImageElement.cpp:
		17	(WebCore::HTMLImageElement::parseAttribute): Call shouldProhibitLinks.
		18	* rendering/svg/RenderSVGRoot.cpp:
		19	(WebCore::RenderSVGRoot::isEmbeddedThroughSVGImage): Use isInSVGImage.
		20	* svg/SVGAElement.cpp:
		21	(WebCore::SVGAElement::svgAttributeChanged): Call shouldProhibitLinks.
		22	* svg/graphics/SVGImage.cpp:
		23	(WebCore::SVGImage::hasSingleSecurityOrigin): Added.
		24	(WebCore::isInSVGImage): Added.
		25	* svg/graphics/SVGImage.h:
		26
1	2013-08-06 Brent Fulgham <bfulgham@apple.com>	27	2013-08-06 Brent Fulgham <bfulgham@apple.com>
2		28
3	Improper Calculation of In-band Cue Colors	29	Improper Calculation of In-band Cue Colors

Lines 29-34 a/Source/WebCore/html/HTMLImageElement.cpp_sec1
- a/Source/WebCore/html/HTMLImageElement.cpp -3 / +3 lines
29	#include "CachedImage.h"	29	#include "CachedImage.h"
30	#include "EventNames.h"	30	#include "EventNames.h"
31	#include "FrameView.h"	31	#include "FrameView.h"
		32	#include "HTMLAnchorElement.h"
32	#include "HTMLDocument.h"	33	#include "HTMLDocument.h"
33	#include "HTMLFormElement.h"	34	#include "HTMLFormElement.h"
34	#include "HTMLNames.h"	35	#include "HTMLNames.h"
Lines 126-134 void HTMLImageElement::parseAttribute(const QualifiedName& name, const AtomicStr a/Source/WebCore/html/HTMLImageElement.cpp_sec2
126	deviceScaleFactor = page->deviceScaleFactor();	127	deviceScaleFactor = page->deviceScaleFactor();
127	m_bestFitImageURL = bestFitSourceForImageAttributes(deviceScaleFactor, fastGetAttribute(srcAttr), fastGetAttribute(srcsetAttr));	128	m_bestFitImageURL = bestFitSourceForImageAttributes(deviceScaleFactor, fastGetAttribute(srcAttr), fastGetAttribute(srcsetAttr));
128	m_imageLoader.updateFromElementIgnoringPreviousError();	129	m_imageLoader.updateFromElementIgnoringPreviousError();
129	}	130	} else if (name == usemapAttr)
130	else if (name == usemapAttr)	131	setIsLink(!value.isNull() && !shouldProhibitLinks(this));
131	setIsLink(!value.isNull());
132	else if (name == onbeforeloadAttr)	132	else if (name == onbeforeloadAttr)
133	setAttributeEventListener(eventNames().beforeloadEvent, createAttributeEventListener(this, name, value));	133	setAttributeEventListener(eventNames().beforeloadEvent, createAttributeEventListener(this, name, value));
134	else if (name == compositeAttr) {	134	else if (name == compositeAttr) {

Lines 1-3 a/LayoutTests/ChangeLog_sec1
- a/LayoutTests/ChangeLog +23 lines
		1	2013-08-07 Timothy Hatcher <timothy@apple.com>
		2
		3	Allow SVG images to be drawn into canvas without tainting.
		4	https://bugs.webkit.org/show_bug.cgi?id=119492
		5
		6	Reviewed by NOBODY (OOPS!).
		7
		8	* fast/canvas/svg-taint-expected.txt: Removed.
		9	* fast/canvas/svg-taint.html: Removed. Obsolete.
		10	* http/tests/security/canvas-remote-read-data-url-svg-image-expected.txt: Removed.
		11	* http/tests/security/canvas-remote-read-data-url-svg-image.html: Removed. Obsolete.
		12	* http/tests/security/canvas-remote-read-svg-image-expected.txt: Removed.
		13	* http/tests/security/canvas-remote-read-svg-image.html: Removed. Obsolete.
		14	* svg/as-image/resources/link-xhtml-svg.svg: Added.
		15	* svg/as-image/resources/link-xhtml.svg: Added.
		16	* svg/as-image/resources/link.svg: Added.
		17	* svg/as-image/svg-canvas-link-not-colored-expected.txt: Added.
		18	* svg/as-image/svg-canvas-link-not-colored.html: Added.
		19	* svg/as-image/svg-canvas-not-tainted-expected.txt: Added.
		20	* svg/as-image/svg-canvas-not-tainted.html: Added.
		21	* svg/as-image/svg-canvas-xhtml-tainted-expected.txt: Added.
		22	* svg/as-image/svg-canvas-xhtml-tainted.html: Added.
		23
1	2013-08-06 Bem Jones-Bey <bjonesbe@adobe.com>	24	2013-08-06 Bem Jones-Bey <bjonesbe@adobe.com>
2		25
3	[CSS Shapes] New positioning model: support for shape-margin	26	[CSS Shapes] New positioning model: support for shape-margin

Lines 1-46 a/LayoutTests/fast/canvas/svg-taint.html_sec1
- a/LayoutTests/fast/canvas/svg-taint.html -46 lines
1	<html>
2	<head>
3	<script>
4	if (window.testRunner) {
5	testRunner.dumpAsText();
6	testRunner.waitUntilDone();
7	}
8
9	function log(message) {
10	var console = document.getElementById('log');
11	console.appendChild(document.createTextNode(message));
12	console.appendChild(document.createElement('br'));
13	}
14
15	function loaded() {
16	var canvas = document.getElementById('canvas');
17	var ctx = canvas.getContext("2d");
18	var img = document.getElementById('img');
19	log('Starting...');
20
21	// This should taint the canvas by rendering an SVG on to it via the pattern
22	// route.
23	var p = ctx.createPattern(img, 'repeat');
24	ctx.fillStyle = p;
25	ctx.fillRect(0, 0, 100, 100);
26
27	try {
28	// This should fail as the canvas should be tainted.
29	var data = ctx.getImageData(0, 0, 10, 10);
30	log('Oh dear -- missing exception!');
31	} catch (e) {
32	log('Exception: ' + e.name);
33	if (window.testRunner)
34	testRunner.notifyDone();
35	}
36	}
37	</script>
38	</head>
39	<body>
40	Let's check that rendering an SVG pattern to a canvas taints it!
41	<p>
42	See https://bugs.webkit.org/show_bug.cgi?id=36838
43	<div id="log"></div>
44	<canvas id="canvas" width="100" height="100"></canvas>
45	<img id="img" onload="loaded()" src="resources/empty.svg"></img>
46	</body>

Line 0 a/LayoutTests/svg/as-image/resources/link-xhtml.svg_sec1
- a/LayoutTests/svg/as-image/resources/link-xhtml.svg +8 lines
	1	<?xml version="1.0"?>
	2	<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
	3	<svg xmlns="http://www.w3.org/2000/svg" xmlns:xhtml="http://www.w3.org/1999/xhtml" viewBox="0 0 100 100">
	4	<foreignObject width="100" height="100">
	5	<style>a div { background-color: green; width: 100px; height: 100px } a:link div, a:visited div { background-color: red }</style>
	6	<xhtml:a href="http://www.example.com/"><xhtml:div></xhtml:div></xhtml:a>
	7	</foreignObject>
	8	</svg>

Line 0 a/LayoutTests/svg/as-image/svg-canvas-link-not-colored.html_sec1
- a/LayoutTests/svg/as-image/svg-canvas-link-not-colored.html +39 lines
	1	<!DOCTYPE html>
	2	<html>
	3	<head>
	4	<script src="../../fast/js/resources/js-test-pre.js"></script>
	5	</head>
	6	<body>
	7	<script>
	8	if (window.testRunner) {
	9	testRunner.dumpAsText();
	10	testRunner.waitUntilDone();
	11	}
	12
	13	var svg = new Image();
	14	svg.src = "resources/link.svg";
	15
	16	svg.onload = function() {
	17	var canvas = document.createElement("canvas");
	18	var ctx = canvas.getContext("2d");
	19
	20	window.colorChannels = ctx.getImageData(0, 0, 1, 1).data;
	21
	22	shouldBe("window.colorChannels[0]", "0");
	23	shouldBe("window.colorChannels[1]", "0");
	24	shouldBe("window.colorChannels[2]", "0");
	25
	26	ctx.drawImage(svg, 0, 0);
	27
	28	window.colorChannels = ctx.getImageData(0, 0, 1, 1).data;
	29
	30	shouldBe("window.colorChannels[0]", "0");
	31	shouldBe("window.colorChannels[1]", "128");
	32	shouldBe("window.colorChannels[2]", "0");
	33
	34	if (window.testRunner)
	35	testRunner.notifyDone();
	36	};
	37	</script>
	38	</body>
	39	</html>