[Mac] Allow Adobe DRM content to play with the Mac Flash sandbox

VERIFIED FIXED in Firefox 62

Status

()

P1
normal
VERIFIED FIXED
5 months ago
5 months ago

People

(Reporter: haik, Assigned: haik)

Tracking

({regression})

63 Branch
mozilla64
Unspecified
macOS
regression
Points:
---

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox62 verified, firefox63 verified, firefox64 verified)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 months ago
Adobe reported that playback of some DRM streams using their Flash TVSDK are now failing with the Mac Flash sandbox shipped in 62 and enabled by default.

Steps to reproduce (provided by Adobe):

  1. Delete all contents from the directory:
     ~/Library/Caches/Adobe/Flash Player/APSPrivateData2/<some number>/drm-plug-mac-x64/

  2. Visit our test DRM video player:
     https://drmtest2.adobe.com/AccessPlayer/player.html 

It'll have a video stream URL prefilled (http://drmtest2.adobe.com/Content/FAXS4/Anonymous_LOCAL/sample.mp4.m3u8). Try to play the stream using the play button (leftmost on the bottom toolbar). If the whitelisting works, A video of a Train will start playing. The column on the right shows the logs. If the playback fails because of the lack of file write access, the logs will stop with an error code (3374 or 3313)
(Assignee)

Updated

5 months ago
Assignee: nobody → haftandilian
Priority: -- → P1
(Assignee)

Updated

5 months ago
Summary: [Mac] Allow Adobe Primetime DRM content to play with the Mac Flash sandbox → [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox
(Assignee)

Comment 1

5 months ago
Debugging revealed that the Flash process needs write access to paths like the following.

  /private/var/folders/63/ajdfjlakdjflakjsdflkajfdl/T/TemporaryItems/(A Document Being Saved By NightlyCP 3)/CertStore.dat

After adding a regex allowing file-read* and file-write* to paths like this, the video streams worked as expected.

Without any of file-write-data, file-write-create, file-write-mode, and file-write-unlink, the streaming didn't work so I'm choosing to allow file-write* aiming to make the rules less brittle to minor changes in the future that get made to Flash or OS libraries.

Tested on 10.9, 10.10, and 10.13 so far.
(Assignee)

Comment 2

5 months ago
Created attachment 9011516 [details]
Bug 1491940 - [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox r?Alex_Gaynor

Add an whitelisted write-access path regex to the Flash plugin sandbox.
Comment on attachment 9011516 [details]
Bug 1491940 - [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox r?Alex_Gaynor

Alex Gaynor [:Alex_Gaynor] has approved the revision.
Attachment #9011516 - Flags: review+

Comment 4

5 months ago
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b5945bfd7277
[Mac] Allow Adobe DRM content to play with the Mac Flash sandbox r=Alex_Gaynor

Comment 5

5 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/b5945bfd7277
Status: NEW → RESOLVED
Last Resolved: 5 months ago
status-firefox64: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
(Assignee)

Comment 6

5 months ago
Comment on attachment 9011516 [details]
Bug 1491940 - [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox r?Alex_Gaynor

Approval Request Comment

[Feature/Bug causing the regression]:
Mac Flash process sandbox. Bug 1474375.

[User impact if declined]:
As reported by Adobe, some Adobe Flash DRM encrypted video streams fail to play in Firefox starting in build 62.

[Is this code covered by automated tests?]:
No

[Has the fix been verified in Nightly?]:
A build of Nightly with the fix was sent to Adobe and verified.

[Needs manual test from QE? If yes, steps to reproduce]: 
Verify the video at the provided URL plays after deleting cached data as described in the bug description.

[List of other uplifts needed for the feature/fix]:
None

[Is the change risky?]:
No

[Why is the change risky/not risky?]:
The change adds a write-access whitelist rule to the Flash process sandbox on Mac making the sandbox slightly more permissive and is unlikely to cause regressions.

[String changes made/needed]:
None
Attachment #9011516 - Flags: approval-mozilla-release?
Attachment #9011516 - Flags: approval-mozilla-beta?
status-firefox62: --- → affected
status-firefox63: --- → affected
Comment on attachment 9011516 [details]
Bug 1491940 - [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox r?Alex_Gaynor

Low-risk patch for a P1 regression, uplift approved for 63 beta 10, thanks.
Attachment #9011516 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify+

Comment 8

5 months ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-beta/rev/cf1509eb9d61
status-firefox63: affected → fixed
Keywords: regression
status-firefox-esr60: --- → unaffected
I managed to reproduce the issue using an older version of Nightly (2018-09-17) on macOS 10.13.
I retested everything on latest Nightly 64.0a1 on the same platform and the bug is not reproducing anymore. The video starts playing without any errors. 
I can still reproduce on beta 63.0b9. I think I have to wait until beta 63.0b10 is up to verify the fix.
status-firefox64: fixed → verified
I verified the fix on beta 63.0b10 using macOS 10.13. The bug is not reproducing anymore.
Status: RESOLVED → VERIFIED
status-firefox63: fixed → verified
Flags: qe-verify+
Comment on attachment 9011516 [details]
Bug 1491940 - [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox r?Alex_Gaynor

macos sandbox change, approved for 62.0.3
Attachment #9011516 - Flags: approval-mozilla-release? → approval-mozilla-release+

Comment 12

5 months ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-release/rev/dc99e844c2af
status-firefox62: affected → fixed
Flags: qe-verify+
I verified the fix using Firefox 62.0.3 on macOS 10.13. The bug is not reproducing anymore.
status-firefox62: fixed → verified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.