[Backport] Fix for security issue 907047

Remove caching of CORS info from CanvasRenderingContext.

Before this CL, CanvasRenderingContext remembered which request URLs
were CORS same-origin and which were CORS cross-origin. This worked
relatively well in a pre-service-worker world. But with service workers,
the same request URL can have different response URLs. Also, even if two
things have have the same response URL, they could differ in whether
they were CORS approved or not.

The solution is to remove the caching entirely. This causes more calls
to CanvasImageSource::WouldTaintOrigin(), but the implementations of
those look relatively lightweight so I don't expect performance to be
worse than tracking URLs in two HashSets.

Test: fetch-canvas-tainting-double-write.https.html added in
https://chromium-review.googlesource.com/c/chromium/src/+/1347952.

Bug: 907047
Change-Id: I4cf6289174935dee40ccad0364eb425d717b9f7f
Reviewed-on: https://chromium-review.googlesource.com/c/1347953
Reviewed-by: Fernando Serboncini <fserb@chromium.org>
Reviewed-by: Makoto Shimazu <shimazu@chromium.org>
Commit-Queue: Matt Falkenhagen <falken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#610498}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

2 files changed, 1 insertions, 24 deletions

diff --git a/chromium/third_party/blink/renderer/core/html/canvas/canvas_rendering_context.cc b/chromium/third_party/blink/renderer/core/html/canvas/canvas_rendering_context.cc
index bcde1d0e928..2f05ffa69cf 100644
--- a/chromium/third_party/blink/renderer/core/html/canvas/canvas_rendering_context.cc
+++ b/chromium/third_party/blink/renderer/core/html/canvas/canvas_rendering_context.cc
@@ -171,26 +171,7 @@ CanvasRenderingContext::ResolveContextTypeAliases(
 bool CanvasRenderingContext::WouldTaintOrigin(
     CanvasImageSource* image_source,
     const SecurityOrigin* destination_security_origin) {
-  const KURL& source_url = image_source->SourceURL();
-  bool has_url = (source_url.IsValid() && !source_url.IsAboutBlankURL());
-
-  if (has_url) {
-    if (source_url.ProtocolIsData() ||
-        clean_urls_.Contains(source_url.GetString()))
-      return false;
-    if (dirty_urls_.Contains(source_url.GetString()))
-      return true;
-  }
-
-  bool taint_origin =
-      image_source->WouldTaintOrigin(destination_security_origin);
-  if (has_url) {
-    if (taint_origin)
-      dirty_urls_.insert(source_url.GetString());
-    else
-      clean_urls_.insert(source_url.GetString());
-  }
-  return taint_origin;
+  return image_source->WouldTaintOrigin(destination_security_origin);
 }
 
 void CanvasRenderingContext::Trace(blink::Visitor* visitor) {
diff --git a/chromium/third_party/blink/renderer/core/html/canvas/canvas_rendering_context.h b/chromium/third_party/blink/renderer/core/html/canvas/canvas_rendering_context.h
index 4e74a0202bb..bea00b9f15f 100644
--- a/chromium/third_party/blink/renderer/core/html/canvas/canvas_rendering_context.h
+++ b/chromium/third_party/blink/renderer/core/html/canvas/canvas_rendering_context.h
@@ -35,8 +35,6 @@
 #include "third_party/blink/renderer/core/offscreencanvas/offscreen_canvas.h"
 #include "third_party/blink/renderer/platform/graphics/canvas_color_params.h"
 #include "third_party/blink/renderer/platform/graphics/color_behavior.h"
-#include "third_party/blink/renderer/platform/wtf/hash_set.h"
-#include "third_party/blink/renderer/platform/wtf/text/string_hash.h"
 #include "third_party/skia/include/core/SkColorSpace.h"
 #include "third_party/skia/include/core/SkImageInfo.h"
 
@@ -197,8 +195,6 @@ class CORE_EXPORT CanvasRenderingContext : public ScriptWrappable,
   void Dispose();
 
   Member<CanvasRenderingContextHost> host_;
-  HashSet<String> clean_urls_;
-  HashSet<String> dirty_urls_;
   CanvasColorParams color_params_;
   CanvasContextCreationAttributesCore creation_attributes_;
   bool finalize_frame_scheduled_ = false;