1396916 - [WebVTT] HTML5 VIDEO element - Child TRACK elements CORS validation

Status: NEW

(Core :: Audio/Video: Playback, defect, P3)

Description

[Nicolas Zdanovicz]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170614180111

Steps to reproduce:

Create a HTML5 webpage (http://domaina.com/a.html) with video element in body.

<video id="myVideo" crossorigin="anonymous"  poster="poster.jpg">
    <source id="videoSource" src="https://domainb.com/video.mp4" />
    <track label="English" kind="captions" srclang="en" src="https://domainb.com/captions.vtt" default></track>
 </video>  

Allowed CORS Request adding Access-Control-Allow-Origin * header in domainb server responses.



Actual results:

No captions are shown. 
Browser Console Logs shows the following message

Security Error: Content at https://domaina.com/a.html may not load data from https://domainb.com/captions.vtt.

Video Playback is fine, no captions are shown.
Google Chrome works fine.


Expected results:

 Video and captions should be under the same CORS policy. Video and captions should be shown together.

Comment 1

[Nicolas Zdanovicz]

In steps to reproduce, page should be https (https://domaina.com/a.html)

Comment 2

[Christoph Kerschbaumer [:ckerschb]]

CORS lives in Networking, probably we should fix that in the DOM:Security module.

Comment 3

[Daniel Veditz [:dveditz]]

Don't you need to use corssorigin=anonymous on the <track> element as well? Or else have your access-control-allow-origin header specify the exact host in the request. "*" only works for anonymous requests.

Comment 4

[Nicolas Zdanovicz]

Daniel, access-control-allow origin is set to * just for anonymous requests. Also, crossorigin attribute does not seems to be consistent. 
Crossorigin attribute affects child source element when set on parent video element. Child track element does not behave in same way.
MDN documentation on html elements does not show crossorigin for media an track. Does media avoids CORS validation and track is going through it? (track element doesn't have crossorigin attribute).


(In reply to Daniel Veditz [:dveditz] from comment #3)
> Don't you need to use corssorigin=anonymous on the <track> element as well?
> Or else have your access-control-allow-origin header specify the exact host
> in the request. "*" only works for anonymous requests.

Comment 5

[Anne (:annevk)]

FWIW, Nicolas and MDN are correct, per https://html.spec.whatwg.org/#start-the-track-processing-model we need to inherit the crossorigin attribute state from the parent element (if that's a media element). And <track> itself doesn't have a crossorigin attribute.

Given that, I suspect the problem here is the media element code not implementing that algorithm correctly. So maybe Audio/Video?

Comment 6

[Dragana Damjanovic [:dragana]]

this is not networking problem. The necko preforms checks but flags are set by dom.

Comment 7

[Andrew Overholt [:overholt]]

It's component hot potato!

Comment 8

[Blake Wu [:bwu][:blakewu]]

Benjamin,
Can you help check this bug?

Comment 9

[Benjamin Chen [:bechen]]

(In reply to Anne (:annevk) from comment #5)
> FWIW, Nicolas and MDN are correct, per
> https://html.spec.whatwg.org/#start-the-track-processing-model we need to
> inherit the crossorigin attribute state from the parent element (if that's a
> media element). And <track> itself doesn't have a crossorigin attribute.
> 
> Given that, I suspect the problem here is the media element code not
> implementing that algorithm correctly. So maybe Audio/Video?

bug 1313711 had fix it.
FF54 doesn't have the issue, I'm not sure what patches we are missing uplift to FF52.

Comment 10

[Anne (:annevk)]

I'd expect this to not be important enough (especially since the way we fail doesn't reveal information) to uplift.

Comment 11

[Johannes Pfrang [:johnp]]

Please consider re-enabling and fixing up the tests. The current state of not showing anything in the console and just having an empty request stall in the network tab when there's such a CORS issue is untenable.