<video crossorigin="use-credentials"> doesn't send cookies during seek




3 months ago
3 months ago


(Reporter: a.s.datsyuk.s, Unassigned)



Firefox Tracking Flags

(Not tracked)



(1 attachment)



3 months ago
Posted image Image1.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36

Steps to reproduce:

I have HTML file with element <video crossorigin="use-credentials" ...
Also I have .NET Core RESTfull service, which takes authorization token from the cookie. As soon as GET request contains cookie with authorization token, service may authorize this request.

Actual results:

2 requests to the RESTfull service are made: first one contains cookies, but second one is without cookies. This breaks authorization and video couldn't be displayed.
Actually I downloaded Firefox sources, built them and debugged an issue. I think I have found the reason of the bug, and how it could be fixed.

Here are details of my investigation:

In C++ code (HTMLMediaElement::ChannelLoader()) I see that when <video> element is orginally processed, "crossorigin" attribute is respected, and flag to include cookies is added to securityFlags. So, channel is created with this flag, and thus cookies are successfully passed during first HTTP request to the RESTfull service.

But after this, ChannelMediaResource::Seek function is called, which closes channel and creates new one by calling ChannelMediaResource::RecreateChannel(). RecreateChannel() function has code which is very similar to HTMLMediaElement::ChannelLoader(), but it misses part of the code which checks value of "crossorigin" attribute, and adds flag for including cookies to securityFlag. This leads to the creation of the channel which doesn't send the cookies.

As far as I could see, bug could be fixed by copying flag-setting code from HTMLMediaElement::ChannelLoader() to ChannelMediaResource::RecreateChannel() (with some adaptation of the identifiers).

In fact I did this change locally, and after that problem disappeared. With this fix cookies are sent with each request which is done for <video> element.

If this fix doesn't cause any side effects, which I may not know, I propose to apply it to the official Firefox sources.

Expected results:

I expect <video> element to send cookies during each request which is performed (in case if crossorigin="use-credentials").



3 months ago
Component: Untriaged → Security
OS: Unspecified → All
Hardware: Unspecified → All
You need to log in before you can comment on or make changes to this bug.