From e9afcc9ec3e990eb1ebc79790fcf5048372858c1 Mon Sep 17 00:00:00 2001
From: jmoenig <jens@moenig.org>
Date: Wed, 18 Sep 2013 15:34:59 +0200
Subject: [PATCH] prevent costumes with imported CORS-tainted canvases

expected to fix #155, #154, #151, #148, #147, #127 for future projects
---
 gui.js      | 15 ++++++++++++++-
 history.txt |  4 ++++
 objects.js  | 20 +++++++++++++++++++-
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/gui.js b/gui.js
index c11793e8..e68d62cf 100644
--- a/gui.js
+++ b/gui.js
@@ -68,7 +68,7 @@ sb, CommentMorph, CommandBlockMorph*/
 
 // Global stuff ////////////////////////////////////////////////////////
 
-modules.gui = '2013-September-17';
+modules.gui = '2013-September-18';
 
 // Declarations
 
@@ -1488,6 +1488,19 @@ IDE_Morph.prototype.droppedImage = function (aCanvas, name) {
         aCanvas,
         name ? name.split('.')[0] : '' // up to period
     );
+
+    if (costume.isTainted()) {
+        this.inform(
+            'Unable to import this image',
+            'The picture you wish to import has been\n' +
+                'tainted by a restrictive cross-origin policy\n' +
+                'making it unusable for costumes in Snap!. \n\n' +
+                'Try downloading this picture first to your\n' +
+                'computer, and import it from there.'
+        );
+        return;
+    }
+
     this.currentSprite.addCostume(costume);
     this.currentSprite.wearCostume(costume);
     this.spriteBar.tabBar.tabTo('costumes');
diff --git a/history.txt b/history.txt
index 276a187b..625bb1d5 100755
--- a/history.txt
+++ b/history.txt
@@ -1912,3 +1912,7 @@ ______
 * GUI: fixed #119, #149 (accessing a shared projects requires lowercasing the username)
 * Portuguese translation update for SPLIT block, thanks, Manuel!
 * Store, Objects: prevent costumes from being drawn while they are loading, fixes parts of #154
+
+130918
+------
+* Objects, GUI: prevent costumes with CORS-tainted canvases, expected to fix #155, #154, #151, #148, #147, #127 for future projects
diff --git a/objects.js b/objects.js
index 9e61d580..398a61db 100644
--- a/objects.js
+++ b/objects.js
@@ -124,7 +124,7 @@ PrototypeHatBlockMorph*/
 
 // Global stuff ////////////////////////////////////////////////////////
 
-modules.objects = '2013-September-17';
+modules.objects = '2013-September-18';
 
 var SpriteMorph;
 var StageMorph;
@@ -5246,6 +5246,24 @@ Costume.prototype.thumbnail = function (extentPoint) {
     return trg;
 };
 
+// Costume catching "tainted" canvases
+
+Costume.prototype.isTainted = function () {
+    // find out whether the canvas has been tainted by cross-origin data
+    // assumes that if reading image data throws an error it is tainted
+    try {
+        this.contents.getContext('2d').getImageData(
+            0,
+            0,
+            this.contents.width,
+            this.contents.height
+        );
+    } catch (err) {
+        return true;
+    }
+    return false;
+};
+
 // SVG_Costume /////////////////////////////////////////////////////////////
 
 /*