1 files changed, 32 insertions, 2 deletions

diff --git a/dom/canvas/ImageBitmap.cpp b/dom/canvas/ImageBitmap.cpp
index 4a1b6e3c2..6efe1b318 100644
--- a/dom/canvas/ImageBitmap.cpp
+++ b/dom/canvas/ImageBitmap.cpp
@@ -315,6 +315,36 @@ private:
   const Maybe<IntRect>& mCropRect;
 };
 
+static bool
+CheckSecurityForHTMLElements(bool aIsWriteOnly, bool aCORSUsed, nsIPrincipal* aPrincipal)
+{
+  MOZ_ASSERT(aPrincipal);
+
+  if (aIsWriteOnly) {
+    return false;
+  }
+
+  if (!aCORSUsed) {
+    nsIGlobalObject* incumbentSettingsObject = GetIncumbentGlobal();
+    if (NS_WARN_IF(!incumbentSettingsObject)) {
+      return false;
+    }
+
+    nsIPrincipal* principal = incumbentSettingsObject->PrincipalOrNull();
+    if (NS_WARN_IF(!principal) || !(principal->Subsumes(aPrincipal))) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
+static bool
+CheckSecurityForHTMLElements(const nsLayoutUtils::SurfaceFromElementResult& aRes)
+{
+  return CheckSecurityForHTMLElements(aRes.mIsWriteOnly, aRes.mCORSUsed, aRes.mPrincipal);
+}
+
 /*
  * A wrapper to the nsLayoutUtils::SurfaceFromElement() function followed by the
  * security checking.
@@ -335,7 +365,7 @@ GetSurfaceFromElement(nsIGlobalObject* aGlobal, HTMLElementType& aElement,
   }
   
   // Check origin-clean and pass back
-  *aWriteOnly = res.mIsWriteOnly;
+  *aWriteOnly = !CheckSecurityForHTMLElements(res);
 
   return surface.forget();
 }
@@ -788,7 +818,7 @@ ImageBitmap::CreateInternal(nsIGlobalObject* aGlobal, HTMLVideoElement& aVideoEl
   nsCOMPtr<nsIPrincipal> principal = aVideoEl.GetCurrentVideoPrincipal();
   bool CORSUsed = aVideoEl.GetCORSMode() != CORS_NONE;
 
-  writeOnly = CheckWriteOnlySecurity(CORSUsed, principal);
+  writeOnly = !CheckSecurityForHTMLElements(false, CORSUsed, principal);
 
   // Create ImageBitmap.
   ImageContainer *container = aVideoEl.GetImageContainer();