Closed
Bug 1228677
Opened 9 years ago
Closed 8 years ago
Cloning <video crossorigin> trips assertion failure: "can not enforce CORS when calling Open2()"
Categories
(Core :: Audio/Video, defect, P1)
Core
Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla47
People
(Reporter: jruderman, Assigned: ckerschb)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(3 files, 1 obsolete file)
Assertion failure: (loadInfo->GetSecurityMode() & nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS) == 0 (can not enforce CORS when calling Open2()), at dom/media/MediaResource.cpp:1320 This assertion was added in: changeset: https://hg.mozilla.org/mozilla-central/rev/f737c4a01752 user: Christoph Kerschbaumer date: Sat Sep 12 12:59:08 2015 -0700 summary: Bug 1194524 - Use channel->ascynOpen2 in dom/media/MediaResource.cpp (r=sicking)
Reporter | ||
Comment 1•9 years ago
|
||
Updated•9 years ago
|
Component: DOM → Audio/Video
Comment 2•9 years ago
|
||
Note that you will probably need to run the testcase from a file:// URI to get it to hit this codepath. Or at least the video URL will need to be a file:// URI and the testcase will need to be able to link to file://.
Reporter | ||
Updated•9 years ago
|
Attachment #8693098 -
Attachment description: testcase → testcase (save, fix paths, load from file:)
Assignee | ||
Comment 3•9 years ago
|
||
We just fixed a similar issue for XSLT [1]. Jonas, do we need a better fix for the problem of needing CORS when calling Open2()? Not sure if the problem described in this bug is an actual problem on a webpage and if we need to fix it at all. But if we need a fix for that problem, then potentially we should fix it in the contentSecuritymanager rather than on every callsite. What do you think? [1] https://hg.mozilla.org/integration/mozilla-inbound/rev/f1c08ce11d24
Flags: needinfo?(jonas)
I don't have a strong opinion either way. I don't think this needs to stay security-sensitive though. At worst we probably crash with a null-pointer dereference here.
Flags: needinfo?(jonas)
Updated•9 years ago
|
Group: media-core-security
Updated•8 years ago
|
Group: dom-core-security
Updated•8 years ago
|
Priority: -- → P1
Christoph, are you on this one?
Flags: needinfo?(mozilla)
Assignee | ||
Comment 6•8 years ago
|
||
(In reply to Jonas Sicking (:sicking) from comment #5) > Christoph, are you on this one? Hey Jesse, sorry for the lag of response here. Anyway, I can't reproduce the assertion. I adopted the paths in your testfile (I tested that I adopted the path correctly by directly copying the location into the URL bar and it loads) but when opening the testilfe it rather uses asyncOpen2() [1] instead of open2() [2] within MediaResource.cpp. Note that the assertion only gets triggered when using the codepath of open2(). What am I doing wrong? Can you still reproduce the error? [1] https://hg.mozilla.org/integration/mozilla-inbound/rev/f737c4a01752#l1.18 [2] https://hg.mozilla.org/integration/mozilla-inbound/rev/f737c4a01752#l1.116
Flags: needinfo?(mozilla) → needinfo?(jruderman)
Assignee | ||
Comment 7•8 years ago
|
||
Assigning to myself to make sure this one gets fixed (if it turns out to be a real problem) ASAP.
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Assignee | ||
Comment 8•8 years ago
|
||
Jesse, can you still reproduce that problem are can we close this bug as invalid?
Assignee | ||
Comment 9•8 years ago
|
||
Tanvi, I have been trying forever to reproduce this error using mac and linux. Any chance you try and let me know if you can reproduce the problem? In my testing it's always openend using ::AsyncOpen2() and never using ::open2().
Flags: needinfo?(tanvi)
Assignee | ||
Comment 10•8 years ago
|
||
Also opening up this bug as disccused within Comment 4.
Group: media-core-security
Assignee | ||
Comment 11•8 years ago
|
||
Finally I am able to reproduce, you also need to set:
> user_pref("security.fileuri.strict_origin_policy", false);
Flags: needinfo?(tanvi)
Flags: needinfo?(jruderman)
Assignee | ||
Comment 12•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/38035/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/38035/
Attachment #8726481 -
Flags: review?(jonas)
Assignee | ||
Comment 13•8 years ago
|
||
Jonas, it seems we introduced the bug ourselves :-( If you look at [1] there was never CORS enforced for FileMediaResource, only for ChannelMediaResource. So I think we just need to revert that change. [1] https://hg.mozilla.org/mozilla-central/rev/f737c4a01752
Someone that knows this code should review this. But why remove the assertion before the Open2() call?
Assignee | ||
Comment 15•8 years ago
|
||
(In reply to Jonas Sicking (:sicking) from comment #14) > Someone that knows this code should review this. But why remove the > assertion before the Open2() call? We could keep it, but I figured we also have that assertion [1]. I am fine either way. Chris, as the module owner, could you take a look and review those bits? [1] http://mxr.mozilla.org/mozilla-central/source/dom/security/nsContentSecurityManager.cpp#107
Flags: needinfo?(cpearce)
Comment 16•8 years ago
|
||
Note: We use FileMediaResource for reading blob URIs. So you don't need to be loading from a local file to hit this. I can repro this assertion failure with this testcase: <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <script> function boom() { var v = document.querySelector('video'); v.onloadeddata = function() { v.cloneNode(false); }; fetch('http://people.mozilla.org/~cpearce/video/h264_baseline_lvl3.mp4') .then(function(response) { return response.blob(); }) .then(function(myBlob) { v.src = URL.createObjectURL(myBlob); }); } </script> </head> <body onload="boom();"> <video id="x" src="" crossorigin="true"></video> </body> </html>
Comment 17•8 years ago
|
||
I think this patch is safe, because we only clone a media element's underlying FileMediaResources into a new media element if the old and the new media element have equal principals and the same values of "crossorigin" attributes; see the call to HTMLMediaElement::LookupMediaElementURITable() in HTMLMediaElement::LoadResource(). Note my testcase in comment 16 causes Beta Firefox 45 to crash when the testcase was loaded from a local webserver.
Flags: needinfo?(cpearce)
Comment 18•8 years ago
|
||
(In reply to Chris Pearce (:cpearce) from comment #17) > I think this patch is safe, because we only clone a media element's > underlying FileMediaResources into a new media element if the old and the > new media element have equal principals and the same values of "crossorigin" > attributes; see the call to HTMLMediaElement::LookupMediaElementURITable() > in HTMLMediaElement::LoadResource(). That is to say, we explicitly do a CORS check before going down the clone path in question here.
Assignee | ||
Comment 19•8 years ago
|
||
(In reply to Chris Pearce (:cpearce) from comment #17) > I think this patch is safe, Thanks for the info Chris. I think Jonas would prefer if someone signs off on the patch. Would you be willing to do that?
Attachment #8726481 -
Attachment is obsolete: true
Attachment #8726481 -
Flags: review?(jonas)
Attachment #8727238 -
Flags: review?(cpearce)
Comment 20•8 years ago
|
||
Comment on attachment 8727238 [details] [diff] [review] bug_1228677_fix_cors_error.patch Review of attachment 8727238 [details] [diff] [review]: ----------------------------------------------------------------- r=cpearce.
Attachment #8727238 -
Flags: review?(cpearce) → review+
Assignee | ||
Comment 21•8 years ago
|
||
(In reply to Chris Pearce (:cpearce) from comment #20) > Comment on attachment 8727238 [details] [diff] [review] > bug_1228677_fix_cors_error.patch > > Review of attachment 8727238 [details] [diff] [review]: > ----------------------------------------------------------------- > > r=cpearce. Thanks Chris!
Keywords: checkin-needed
Updated•8 years ago
|
Flags: in-testsuite?
Comment 22•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/30fa1cfd2ec8
Keywords: checkin-needed
Comment 23•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/30fa1cfd2ec8
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox47:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in
before you can comment on or make changes to this bug.
Description
•