[WebVTT] HTML5 VIDEO element - Child TRACK elements CORS validation

UNCONFIRMED
Unassigned

Status

()

P3
normal
UNCONFIRMED
a year ago
a year ago

People

(Reporter: nicolasmariano, Unassigned)

Tracking

52 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170614180111

Steps to reproduce:

Create a HTML5 webpage (http://domaina.com/a.html) with video element in body.

<video id="myVideo" crossorigin="anonymous"  poster="poster.jpg">
    <source id="videoSource" src="https://domainb.com/video.mp4" />
    <track label="English" kind="captions" srclang="en" src="https://domainb.com/captions.vtt" default></track>
 </video>  

Allowed CORS Request adding Access-Control-Allow-Origin * header in domainb server responses.



Actual results:

No captions are shown. 
Browser Console Logs shows the following message

Security Error: Content at https://domaina.com/a.html may not load data from https://domainb.com/captions.vtt.

Video Playback is fine, no captions are shown.
Google Chrome works fine.


Expected results:

 Video and captions should be under the same CORS policy. Video and captions should be shown together.
(Reporter)

Comment 1

a year ago
In steps to reproduce, page should be https (https://domaina.com/a.html)
Component: Untriaged → DOM: Security
Product: Firefox → Core
CORS lives in Networking, probably we should fix that in the DOM:Security module.
Component: DOM: Security → Networking
Don't you need to use corssorigin=anonymous on the <track> element as well? Or else have your access-control-allow-origin header specify the exact host in the request. "*" only works for anonymous requests.
Flags: needinfo?(nicolasmariano)
(Reporter)

Comment 4

a year ago
Daniel, access-control-allow origin is set to * just for anonymous requests. Also, crossorigin attribute does not seems to be consistent. 
Crossorigin attribute affects child source element when set on parent video element. Child track element does not behave in same way.
MDN documentation on html elements does not show crossorigin for media an track. Does media avoids CORS validation and track is going through it? (track element doesn't have crossorigin attribute).


(In reply to Daniel Veditz [:dveditz] from comment #3)
> Don't you need to use corssorigin=anonymous on the <track> element as well?
> Or else have your access-control-allow-origin header specify the exact host
> in the request. "*" only works for anonymous requests.
Flags: needinfo?(nicolasmariano)

Comment 5

a year ago
FWIW, Nicolas and MDN are correct, per https://html.spec.whatwg.org/#start-the-track-processing-model we need to inherit the crossorigin attribute state from the parent element (if that's a media element). And <track> itself doesn't have a crossorigin attribute.

Given that, I suspect the problem here is the media element code not implementing that algorithm correctly. So maybe Audio/Video?
this is not networking problem. The necko preforms checks but flags are set by dom.
Component: Networking → DOM
It's component hot potato!
Component: DOM → Audio/Video: Playback
Priority: -- → P3
Summary: HTML5 VIDEO element - Child TRACK elements CORS validation → [WebVTT] HTML5 VIDEO element - Child TRACK elements CORS validation
Benjamin,
Can you help check this bug?
Flags: needinfo?(bechen)
See Also: → bug 1313711
(In reply to Anne (:annevk) from comment #5)
> FWIW, Nicolas and MDN are correct, per
> https://html.spec.whatwg.org/#start-the-track-processing-model we need to
> inherit the crossorigin attribute state from the parent element (if that's a
> media element). And <track> itself doesn't have a crossorigin attribute.
> 
> Given that, I suspect the problem here is the media element code not
> implementing that algorithm correctly. So maybe Audio/Video?

bug 1313711 had fix it.
FF54 doesn't have the issue, I'm not sure what patches we are missing uplift to FF52.
Flags: needinfo?(bechen)

Comment 10

a year ago
I'd expect this to not be important enough (especially since the way we fail doesn't reveal information) to uplift.
You need to log in before you can comment on or make changes to this bug.