Video element having crossorigin="use-credentials" cannot be played for cross-origin video source




Audio/Video: Playback
2 years ago
a year ago


(Reporter: mitar.alex, Unassigned, NeedInfo)


43 Branch
Windows 8

Firefox Tracking Flags

(Not tracked)



(1 attachment)



2 years ago
Created attachment 8741832 [details]

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36

Steps to reproduce:

OS: Windows 8/10
Firefox: 43.0.1

In our system we develop a solution that allows to watch 360 video (as Youtube does).
For this purpose we use WebGL canvas and render 360 video on it.
Video is loaded from our file storage.
File storage and site are located on the different domains.
File storage uses cookie-based authentication.

To use video element for video source from another domain as a source for GL texture we have to use crossorigin attribute.
We cannot set it to 'anonymous' value because we need to transfer authorization cookies to our file storage.
So we set crossorigin attribute to 'use-credentials' value.

Actual results:

When we try to load video video element displays that 'Video playback aborted due to the network error.'

On the network tab of Developer Tools I see two requests for the source url sent by video element.
The first one is successful and transfers all authentication cookies (status 206).
The second sends 403 error because it does not transfer cookies at all.

Expected results:

Video element should transfer authentication cookies correctly for each request.

FYI: Our solution works in Chrome browser.


2 years ago
OS: Unspecified → Windows 8
Hardware: Unspecified → x86_64


2 years ago
Component: Untriaged → DOM: Security
Product: Firefox → Core
I assume that you're replying with the right CORS headers?  It's hard to tell what's going on here without either a link to a page showing the problem or more information about what exact network traffic you're seeing, including the complete request and response headers (excluding your auth tokens, obviously) for lal the requests involved.

Note that you may want to test in a current/supported version of Firefox also, just to make sure it's still an issue there.  In this case that would be Firefox 46.
Flags: needinfo?(mitar.alex)
Also, what the actual video element looks like and how it's set up might be useful (the source if it's just a static element, the script that builds the DOM tree and puts it in the DOM if it's script-generated) if you can't provide a link to the page showing the problem.
Component: DOM: Security → Audio/Video
Ever confirmed: true
Component: Audio/Video → Audio/Video: Playback
Jason - should this be in the networking component?
Flags: needinfo?(jduell.mcbugs)
Anthony--I'm not sure what's going on here, but my gut guess is that this is either XHR not adding the header, or the CORS code, or some sort of issue with our new principals.  I.e. I suspect it's above the level of the necko code, which pretty much does what it's told to do by upper layers. 

What we really need here is a reproducible test case.
Flags: needinfo?(jduell.mcbugs)
Reporter - can you please provide a URL that reproduces the issue?
Priority: -- → P2
Mass change P2 -> P3
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.