Last night, we were informed of security vulnerabilities in the implementation of an experimental extension to createImageBitmap() accepting ArrayBuffer and ArrayBufferView arguments which, as it turns out, was accidentally shipped in bug 1141979. After careful examination it became clear that the implementation had several issues and a complete and safe fix would probably not be something that could be deployed with a high degree of confidence in a short amount of time to the release channel. The createImageBitmap() API, including the other overloads which other engines also do ship isn’t a very popular API according to Chrome’s usage statistics: < https://www.chromestatus.com/metrics/feature/popularity#CreateImageBitmap>. As to the best of our knowledge no other engine ships this variant of createImageBitmap and we never intended to ship it and never publicized the fact that we did, we decided that the best course of action, as unusual as this would be, is to immediately unship the API. As such, I wrote a patch in bug to immediately do the following on all the branches, including Firefox 52.0.1 which was released a little while ago:
* Hide this overload with the following WebIDL signature behind the canvas.imagebitmap_extensions.enabled preference. * Turn this preference off on all branches by default. The WebIDL signature in question is: Promise<ImageBitmap> createImageBitmap(ImageBitmapSource aImage, long aOffset, long aLength, ImageBitmapFormat aFormat, ImagePixelLayout aLayout); (We only supported the ArrayBuffer and ArrayBufferView variants of ImageBitmapSource.) This work happened in bug 1348168. Also, please note that on Nightly and Aurora, where this preference used to be on before, it controlled some other ImageBitmap API extensions which are now also turned off because this work happened late at night and nobody felt comfortable with leaving the rest of these extensions enabled enabled. I’d like to reiterate that having this pref set to a non-default value is currently extremely dangerous. Thanks, Ehsan _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
