Closed Bug 1392988 Opened 3 years ago Closed 3 years ago

Firefox 55.02 on macOS High Sierra cannot play AES encrypted video

Categories

(Core :: Audio/Video: Playback, defect, P1)

55 Branch
Unspecified
macOS
defect

Tracking

()

VERIFIED FIXED
mozilla57
Tracking Status
firefox-esr52 56+ verified
firefox55 --- wontfix
firefox56 --- verified
firefox57 --- verified
firefox58 --- verified

People

(Reporter: su-lijiong, Assigned: haik)

References

Details

Attachments

(4 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36

Steps to reproduce:

Play video on the following website:
https://support.jwplayer.com/customer/portal/articles/1430261-aes-content-protection


Actual results:

The video cannot be played
The Console shows "Media resource blob:https://support.jwplayer.com/4545-46464 could not be decoded"


Expected results:

Safari or Chrome can play the video. Only Firefox cannot
By the way, Safari on High Sierra can play that video.
Component: Untriaged → Audio/Video: Playback
Product: Firefox → Core
Haik - is this a sandboxing issue?
Flags: needinfo?(haftandilian)
See Also: → 1376163
(In reply to Anthony Jones (:kentuckyfriedtakahe, :k17e) from comment #2)
> Haik - is this a sandboxing issue?

Yes, this is a case of macOS 10.13 High Sierra requiring a new allowance in the content sandbox. I'll take the bug and this is something we'll want to get uplifted to be ready for 10.13.

Adding "com.apple.coremedia.videodecoder" to the content sandbox rules let the video work for me with Nightly and 10.13.

WebKit has also added this to the WebProcess sandbox ruleset specifically for 10.13 (as well as some other allowances).

Chris, does it make sense for the content process to need a video decoding service? What about encoding?
Assignee: nobody → haftandilian
Flags: needinfo?(haftandilian) → needinfo?(cpearce)
OS: Unspecified → Mac OS X
Priority: -- → P1
Blocks: highsierra
Yes, we run the video decoder and encoders in the content process on MacOS.
Flags: needinfo?(cpearce)
Using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0, 20170828100127, I can play the videos on https://support.jwplayer.com/customer/portal/articles/1430261-aes-content-protection without changing the sandbox rules. I am running on the latest Developer Beta. It looks as if the reporter was running on 10.11.
(In reply to Marcia Knous [:marcia - use ni] from comment #5)
> Using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101
> Firefox/57.0, 20170828100127, I can play the videos on
> https://support.jwplayer.com/customer/portal/articles/1430261-aes-content-
> protection without changing the sandbox rules. I am running on the latest
> Developer Beta. 

Marcia, on the 2015 MacBook Air I'm testing, if I just click to play the video on High Sierra it always stalls after displaying the green "the following preview has been approved for all audiences" screen and doesn't play. If I skip to the middle of the video and then click pause and then play I can get it to play. But it never plays properly the first time. Is that your experience too? And do you see the decoding errors on the web console? See screenshot.

With the sandbox fix, it starts playing correctly after a single click to play.

> It looks as if the reporter was running on 10.11.

We should confirm, but the bug subject and comment 0 reference High Sierra. Perhaps 10.11 was used to file the bug only. For me, on 10.11, the video plays after a single click to play without any decoding errors logged in the console.

su, can you confirm you hit the problem on an OS X High Sierra 10.13 Beta release?
Flags: needinfo?(su-lijiong)
Flags: needinfo?(mozillamarcia.knous)
Screenshot showing frozen video and console errors on macOS High Sierra 10.13 Beta collected with Nightly.
I tested on macOS High Sierra and reported the bug on macOS 10.11 (so the user agent shows macOS 10.11, I guess). By the way, are you releasing the fixed version before High Sierra's release, not just nightly build? We are asking our users to use Safari when High Sierra launch, because the current Firefox cannot play our streaming service (a problem of AES, I guess (hope)).
Flags: needinfo?(su-lijiong)
(In reply to Haik Aftandilian [:haik] from comment #6)
> (In reply to Marcia Knous [:marcia - use ni] from comment #5)
> > Using Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101
> > Firefox/57.0, 20170828100127, I can play the videos on
> > https://support.jwplayer.com/customer/portal/articles/1430261-aes-content-
> > protection without changing the sandbox rules. I am running on the latest
> > Developer Beta. 
> 
> Marcia, on the 2015 MacBook Air I'm testing, if I just click to play the
> video on High Sierra it always stalls after displaying the green "the
> following preview has been approved for all audiences" screen and doesn't
> play. If I skip to the middle of the video and then click pause and then
> play I can get it to play. But it never plays properly the first time. Is
> that your experience too? And do you see the decoding errors on the web
> console? See screenshot.
> 
> With the sandbox fix, it starts playing correctly after a single click to
> play.
> 
> > It looks as if the reporter was running on 10.11.
> 
> We should confirm, but the bug subject and comment 0 reference High Sierra.
> Perhaps 10.11 was used to file the bug only. For me, on 10.11, the video
> plays after a single click to play without any decoding errors logged in the
> console.
> 
> su, can you confirm you hit the problem on an OS X High Sierra 10.13 Beta
> release?

Hello Haik - I just tried again on my machine, MacBook Pro (13-inch, 2016, Four Thunderbolt 3 Ports) using the latest nightly build. The very first video plays fine the first time, and doesn't stall (as does the second video). I can attach my about:support if that would be helpful.
Flags: needinfo?(mozillamarcia.knous)
I tried Nightly, but it does not work. Am I missing something?
(In reply to su from comment #8)
> I tested on macOS High Sierra and reported the bug on macOS 10.11 (so the
> user agent shows macOS 10.11, I guess). By the way, are you releasing the
> fixed version before High Sierra's release, not just nightly build? We are
> asking our users to use Safari when High Sierra launch, because the current
> Firefox cannot play our streaming service (a problem of AES, I guess (hope)).

Thanks for the clarification and thanks for reporting the problem to begin with. We should be able to get this fixed in the Release version of Firefox before High Sierra ships.

> I tried Nightly, but it does not work. Am I missing something?

It hasn't been fixed in Nightly yet. That should happen within a day or two. (Once it is fixed in Nightly, this bug will be marked as status:fixed and later there will be more updates as it is fixed in Beta and Release.)

Would you be able to test a build with the fix to ensure it works for you? Here's a Nightly build that includes the fix.

  https://queue.taskcluster.net/v1/task/Gs2UfNqTTtGyslCd7ARDow/runs/0/artifacts/public/build/target.dmg
Flags: needinfo?(su-lijiong)
Hi, Haik. I have tried the Nightly Build you provide. I can confirm that it works for our streaming service, I am glad to know that you will release it before High Sierra's launch.
Flags: needinfo?(su-lijiong)
The posted fix allows mach-lookups for decoding and encoding. I haven't seen sandbox violations triggered due to lack of encoding support, but checked with :cpearce and content processes could need to do encoding in some scenarios: for WebRTC or the MediaRecorder API. The fix uses "xpc-service-name" instead of "global-name". Other examples online are using xpc-service-name and my assumption is that this is more limiting than global-name because it limits the connection to advertised XPC services. Both worked in this case.
Comment on attachment 8902332 [details]
Bug 1392988 - Firefox 55.02 on macOS High Sierra cannot play AES encrypted video.

https://reviewboard.mozilla.org/r/173872/#review179138

::: security/sandbox/mac/SandboxPolicies.h:189
(Diff revision 1)
>  ; bug 1376163
>    (if (>= macosMinorVersion 13)
> -    (allow mach-lookup (global-name "com.apple.audio.AudioComponentRegistrar")))
> +    (allow mach-lookup
> +      (global-name "com.apple.audio.AudioComponentRegistrar")

Can you move the comment around so that bug number is clearly assosciated with the `AudioComponentRegistrar` and add a comment for these?
Attachment #8902332 - Flags: review?(agaynor) → review+
Comment on attachment 8902332 [details]
Bug 1392988 - Firefox 55.02 on macOS High Sierra cannot play AES encrypted video.

https://reviewboard.mozilla.org/r/173872/#review179138

> Can you move the comment around so that bug number is clearly assosciated with the `AudioComponentRegistrar` and add a comment for these?

Fixed. Thanks.
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/573687637148
Firefox 55.02 on macOS High Sierra cannot play AES encrypted video. r=Alex_Gaynor
(In reply to Marcia Knous [:marcia - use ni] from comment #9)
> Hello Haik - I just tried again on my machine, MacBook Pro (13-inch, 2016,
> Four Thunderbolt 3 Ports) using the latest nightly build. The very first
> video plays fine the first time, and doesn't stall (as does the second
> video). I can attach my about:support if that would be helpful.

Marcia, thanks, but I think we now have enough information to move forward with the fix.
Comment on attachment 8902332 [details]
Bug 1392988 - Firefox 55.02 on macOS High Sierra cannot play AES encrypted video.

Approval Request Comment
[Feature/Bug causing the regression]:
New issue on macOS 10.13 High Sierra (yet to be officially released).

[User impact if declined]:
Some streaming video will not play on macOS 10.13 High Sierra when it is released. Things that depend on video encoding such as WebRTC may not work in some cases.

[Is this code covered by automated tests?]:
No. macOS 10.13 is not used in automated tests.

[Has the fix been verified in Nightly?]:
No, it's on autoland.

[Needs manual test from QE? If yes, steps to reproduce]:
Yes, see description of this bug.

[List of other uplifts needed for the feature/fix]:
None

[Is the change risky?]:
No

[Why is the change risky/not risky?]:
It makes the Mac sandbox less restrictive and only applies to macOS 10.13. Most issues with the sandbox are caused by the sandbox blocking access to a resource the browser needs, but this change adds access to some services.

[String changes made/needed]:
None
Attachment #8902332 - Flags: approval-mozilla-release?
Attachment #8902332 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/573687637148
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Hi su,
Can you help check if it was fixed in the latest nightly? Thanks.
Flags: needinfo?(su-lijiong)
(In reply to Gerry Chang [:gchang] from comment #23)
> Hi su,
> Can you help check if it was fixed in the latest nightly? Thanks.

Nope, it still doesn't work. By the way, I downloaded the Nightly Build from this page: https://www.mozilla.org/en-US/firefox/channel/desktop/
Flags: needinfo?(su-lijiong)
(In reply to su from comment #24)
> (In reply to Gerry Chang [:gchang] from comment #23)
> > Hi su,
> > Can you help check if it was fixed in the latest nightly? Thanks.
> 
> Nope, it still doesn't work. By the way, I downloaded the Nightly Build from
> this page: https://www.mozilla.org/en-US/firefox/channel/desktop/

With the latest Nightly, it works for me. The version I'm using is "57.0a1 (2017-08-30)" from the "About Nightly" page. You can also check the version with the "about:support" page. The Build ID shown on about:support is 20170830100230.

su, it's possible the version you downloaded had not been updated yet with the fix. Could you check which version you are running?
Flags: needinfo?(su-lijiong)
I tried the latest Nightly Build (57.0a1(2017-08-30)), it works now.
Flags: needinfo?(su-lijiong)
A number of changes for 10.13 are only in 56, I'd rather leave 55 alone at this point.
Attachment #8902332 - Flags: approval-mozilla-release? → approval-mozilla-release-
Comment on attachment 8902332 [details]
Bug 1392988 - Firefox 55.02 on macOS High Sierra cannot play AES encrypted video.

Verified in comment 25 and comment 26, so let's uplift this fix in anticipation of a new MacOS release some time in the next month or two.
Attachment #8902332 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
(In reply to Julien Cristau [:jcristau] from comment #27)
> A number of changes for 10.13 are only in 56, I'd rather leave 55 alone at
> this point.

Tech press[1] is reporting that High Sierra is scheduled to be released on September 25th which is a few days before build 56 is scheduled to be released.

1. "Apple will release macOS High Sierra on September 25th"
   https://www.theverge.com/2017/9/12/16277554/apple-mac-os-high-sierra-release-date-download-announced
Flags: needinfo?(jcristau)
Flags: needinfo?(jcristau)
The patch also includes the fix for 1376163.

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
Some encrypted streaming video will not work with High Sierra. We're going to have a update ESR52 to add some fixes for High Sierra (1376163) and it makes sense to include this because its low risk.

User impact if declined: 
Some encrypted video streams will fail to play.

Fix Landed on Version:
The fix is 56/57 already.

Risk to taking this patch (and alternatives if risky): 
Very low risk.

String or UUID changes made by this patch: 
None

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8915458 - Flags: review?(agaynor)
Attachment #8915458 - Flags: approval-mozilla-esr52?
Attachment #8915458 - Flags: review?(agaynor) → review+
Comment on attachment 8915458 [details] [diff] [review]
ESR/52 patch: Adds access to com.apple.coremedia.videodecoder/encoder for High Sierra

this can ride-along on esr52 with 1376163
Attachment #8915458 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
I managed to reproduce the bug on an old version of Nightly (2017-08-23) using macOS 10.13. 
I retested everything using ESR 52.4.1 - build 1, Firefox 56.0, beta 57.0b6 and latest Nightly 58.0a1, but the bug is not reproducing anymore.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.