1150957 - When h.264 support is missing, Vine tries & fails to load content from a "blob:https://vine.co/..." URI (which fails because blob: is not allowed in their CSP)

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect)

Description

[Daniel Holbert [:dholbert]]

STR:
 1. Load https://vine.co/v/OlagjVlx5D6 in nightly

EXPECTED RESULTS: video should play.

ACTUAL RESULTS: video area is just black, and error console contains:
Content Security Policy: The page's settings blocked the loading of a resource at blob:https://vine.co/ad5ecd7f-9f3f-47b6-85cb-8fea1990a1c1 ("object-src https://vine.co https://vine.co https://vine.co https://vines.s3.amazonaws.com https://*.cdn.vine.co https://media.vineapp.com").

I think this is either a tech evang issue (do they need to include 'blob:https://vine.co/' in their CSP?), or a Firefox bug (do we need to treat blob: URIs as same-origin with their origin, for CSP purposes?)

I suspect it's the latter (a Firefox bug w/ CSP handling); hence, filing in Core|Security.

Comment 1

[Daniel Holbert [:dholbert]]

Hmm, I also see this in my error console:
Specified "type" attribute of "video/mp4" is not supported. Load of media resource default.mp4 failed. OlagjVlx5D6
All candidate resources failed to load. Media load paused. OlagjVlx5D6
Specified "type" attribute of "video/mp4" is not supported. Load of media resource default.mp4 failed. OlagjVlx5D6
All candidate resources failed to load. Media load paused. OlagjVlx5D6
HTTP "Content-Type" of "video/mp4" is not supported. Load of media resource https://mtc.cdn.vine.co/r/videos/6094A4C64F1195371287929823232_3ad0c708908.2.1.1328857174910868661.mp4?versionId=Hjz9Siq0uGR_ezLmlm8Dd60bRH0MIUME failed.

So the "video not playing" issue might just be that I don't have mp4 support. I may spin off a separate bug for that; but let's keep this bug focused on the CSP error-console message & whether that's legitimate or not.

Comment 2

[Daniel Holbert [:dholbert]]

I'm running Firefox Nightly 40.0a1 (2015-04-03) on Ubuntu 14.10, FWIW.

Comment 3

[Boris Zbarsky [:bzbarsky]]

> do they need to include 'blob:https://vine.co/' in their CSP?

More precisely, 'blob:'.

And I think they do.  If you look at https://w3c.github.io/webappsec/specs/CSP2/#match-source-expression we come in, the source expressions here are all host-source expressions, the url's host is null, so it does not match.

What's needed here to get a match is a scheme-source expression for the "blob" scheme, afaict.

Mike, am I missing something here?  Chrome doesn't seem to implement what the spec says here.  In particular, http://web.mit.edu/bzbarsky/www/testcases/security/blob-csp-disallowed-2.html alerts "FAIL" whereas per spec it should be alerting "PASS" as far as I can tell.  And I did check that Chrome supports CSP in <meta>; see http://web.mit.edu/bzbarsky/www/testcases/security/blob-csp-disallowed-1.html to see it working.

Comment 4

[Mike West]

Yes, it looks like Chrome is doing the wrong thing here. I'll take a look. Filed https://crbug.com/473904

Comment 5

[Joako]

I can confirm this bug on Windows Xp 64 bits I get the same console error.

Comment 6

[Joako]

running firefox 37.0.1

Comment 7

[Joako]

El atributo "type" especificado de "video/mp4" no está soportado. La carga del recurso de medios default.mp4 falló. O0L6pO20gn9
Todos los recursos candidatos fallaron al cargarse. Carga de medio pausada. O0L6pO20gn9
El atributo "type" especificado de "video/mp4" no está soportado. La carga del recurso de medios default.mp4 falló. O0L6pO20gn9
Todos los recursos candidatos fallaron al cargarse. Carga de medio pausada. O0L6pO20gn9
El uso de getPreventDefault() es obsoleto.  Use defaultPrevented en su lugar. vendor.min.js:2:0
"Content-Type" HTTP de "video/mp4" no está soportado. Carga de recurso de medios https://v.cdn.vine.co/r/videos_h264high/9DE27312131185434634050330624_SW_WEBM_14256037054887483a7b028.mp4?versionId=sJ8_wx.YwXyzn9ichHd1Pfgu2Oi0LW7s falló. O0L6pO20gn9

Todos los recursos candidatos fallaron al cargarse. Carga de medio pausada.

Comment 8

[Boris Zbarsky [:bzbarsky]]

This bug tech evangelism, per comment 4.  The errors mentioned in comment 7 are the same as those mentioned in comment 1.

Comment 9

[Boris Zbarsky [:bzbarsky]]

That said, I'm not seeing this CSP error on the console on this site...

Comment 10

[Daniel Holbert [:dholbert]]

I still do.

Per comment 1, I think vine might only take this code-path if you don't have h.264 support built into your Firefox. (It's after a 'Specified "type" attribute of "video/mp4" is not supported' error-message.)  Firefox Nightly on Linux does not have h.264 support built-in, IIRC.

Comment 11

[Daniel Holbert [:dholbert]]

Pinged them on Twitter to get the Tech Evang ball rolling:
  https://twitter.com/CodingExon/status/588456192478818304

Comment 12

[Mike Taylor [:miketaylr]]

The video plays (and others) for me on OSX. I do see the following (unrelated, looks like) errors in the console though, which don't appear in Chrome:

HTTP load failed with status 404. Load of media resource https://vine.co/v/default.mp4 failed. OlagjVlx5D6
HTTP "Content-Type" of "text/html" is not supported. Load of media resource https://vine.co/default.mp4 failed. vine.co
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://v.cdn.vine.co/r/videos/75BF7135A51198833396504207360_319451ccea2.2.1.4371735900603496352.mp4?versionId=p8u8rP6NST0tHPtG6QnkZC9Incj4cxpe. (Reason: CORS request failed).

So you're probably right about this lacking h264 support to hit the bugpath Daniel.

Comment 13

[Daniel Holbert [:dholbert]]

Two notes on the CSP-blocked resource:
 (1) I verified that it is indeed a video file. (I verified this by copypasting the blob URI from my error console and loading it directly in a new tab. This prompts me to download a video file & I can open it in a video player.)

 (2) If I allow Vine to load its blob URI, by disabling CSP (via the about:config pref 'security.csp.enable'), I still don't get any video playback directly on the vine page. That's likely because the blob resource is still h.264-encoded, and my linux Nightly lacks h.264 support.

So, the desired end state here may not be video-plays-great-and-all-is-well -- for the purposes of this bug, let's just focus on updating Vine to stop blocking its own blob URIs. (whether or not that means functional video on platforms w/o h.264 support)

Comment 14

[Thomas R]

Vine eng here.

1. If your browser doesn't support mp4 natively, we'll fallback to Flash. If you don't have Flash, well, you get nothing.

2. the "default.mp4" reference is a file we have set as the src for our video element on pageload, which we then immediately swap it out (though not before the request is made, it seems) for the blob url, or MediaSource, or http url depending on which approach is taken depending on your browser capabilities.

I can replicate the CSP issue on OS X by disabling mp4 in about:config. Working on this now.

Comment 15

[Thomas R]

It seems there's two issues at play here. The first is the CSP issue, which is now resolved (I added blob: to object-src). The second is that the Flash fallback does not appear to be working correctly, which I am continuing to dig in to.

Comment 16

[Thomas R]

The flash fallback has now been fixed. If you have Flash & no mp4, you can still view Vines. In the no/no case, there's very little we do can for you.

Comment 17

[Daniel Holbert [:dholbert]]

Great! Confirmed fixed on my end -- when I view the Vine URL from comment 0, in my Nightly which has flash installed but no h.264/mp4 support, I now see:
 (1) working flash video
 (2) no CSP error in my error console.

So, calling this FIXED. (matching comment 0's EXPECTED RESULTS, & comment 1's implicit expected results [no CSP error]) Thanks!

Comment 18

[Mike Taylor [:miketaylr]]

Thanks Thomas (and the rest of Vine)!

Comment 19

[Joako]

I can confirm this as fixed also on Firefox 37.0.1 ... with flash plugin on Windows XP 64.