Open
Bug 1396916
Opened 7 years ago
Updated 2 years ago
[WebVTT] HTML5 VIDEO element - Child TRACK elements CORS validation
Categories
(Core :: Audio/Video: Playback, defect, P3)
Tracking
()
NEW
People
(Reporter: nicolasmariano, Unassigned)
References
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170614180111 Steps to reproduce: Create a HTML5 webpage (http://domaina.com/a.html) with video element in body. <video id="myVideo" crossorigin="anonymous" poster="poster.jpg"> <source id="videoSource" src="https://domainb.com/video.mp4" /> <track label="English" kind="captions" srclang="en" src="https://domainb.com/captions.vtt" default></track> </video> Allowed CORS Request adding Access-Control-Allow-Origin * header in domainb server responses. Actual results: No captions are shown. Browser Console Logs shows the following message Security Error: Content at https://domaina.com/a.html may not load data from https://domainb.com/captions.vtt. Video Playback is fine, no captions are shown. Google Chrome works fine. Expected results: Video and captions should be under the same CORS policy. Video and captions should be shown together.
Reporter | ||
Comment 1•7 years ago
|
||
In steps to reproduce, page should be https (https://domaina.com/a.html)
Updated•7 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
Comment 2•7 years ago
|
||
CORS lives in Networking, probably we should fix that in the DOM:Security module.
Component: DOM: Security → Networking
Comment 3•7 years ago
|
||
Don't you need to use corssorigin=anonymous on the <track> element as well? Or else have your access-control-allow-origin header specify the exact host in the request. "*" only works for anonymous requests.
Updated•7 years ago
|
Flags: needinfo?(nicolasmariano)
Reporter | ||
Comment 4•7 years ago
|
||
Daniel, access-control-allow origin is set to * just for anonymous requests. Also, crossorigin attribute does not seems to be consistent. Crossorigin attribute affects child source element when set on parent video element. Child track element does not behave in same way. MDN documentation on html elements does not show crossorigin for media an track. Does media avoids CORS validation and track is going through it? (track element doesn't have crossorigin attribute). (In reply to Daniel Veditz [:dveditz] from comment #3) > Don't you need to use corssorigin=anonymous on the <track> element as well? > Or else have your access-control-allow-origin header specify the exact host > in the request. "*" only works for anonymous requests.
Flags: needinfo?(nicolasmariano)
Comment 5•7 years ago
|
||
FWIW, Nicolas and MDN are correct, per https://html.spec.whatwg.org/#start-the-track-processing-model we need to inherit the crossorigin attribute state from the parent element (if that's a media element). And <track> itself doesn't have a crossorigin attribute. Given that, I suspect the problem here is the media element code not implementing that algorithm correctly. So maybe Audio/Video?
Comment 6•7 years ago
|
||
this is not networking problem. The necko preforms checks but flags are set by dom.
Updated•7 years ago
|
Component: Networking → DOM
Updated•7 years ago
|
Priority: -- → P3
Summary: HTML5 VIDEO element - Child TRACK elements CORS validation → [WebVTT] HTML5 VIDEO element - Child TRACK elements CORS validation
Updated•7 years ago
|
See Also: → CVE-2017-5408
Comment 9•7 years ago
|
||
(In reply to Anne (:annevk) from comment #5) > FWIW, Nicolas and MDN are correct, per > https://html.spec.whatwg.org/#start-the-track-processing-model we need to > inherit the crossorigin attribute state from the parent element (if that's a > media element). And <track> itself doesn't have a crossorigin attribute. > > Given that, I suspect the problem here is the media element code not > implementing that algorithm correctly. So maybe Audio/Video? bug 1313711 had fix it. FF54 doesn't have the issue, I'm not sure what patches we are missing uplift to FF52.
Flags: needinfo?(bechen)
Comment 10•7 years ago
|
||
I'd expect this to not be important enough (especially since the way we fail doesn't reveal information) to uplift.
Comment 11•5 years ago
|
||
Please consider re-enabling and fixing up the tests. The current state of not showing anything in the console and just having an empty request stall in the network tab when there's such a CORS issue is untenable.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•