MediaError message property can leak information about cross-origin media resource
Categories
(Core :: Audio/Video: Playback, defect, P2)
Tracking
()
People
(Reporter: pehrsons, Assigned: pehrsons)
References
Details
(Keywords: csectype-sop, sec-low, Whiteboard: [adv-main86+][adv-esr78.8+])
Attachments
(3 files)
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
pascalc
:
approval-mozilla-esr78+
|
Details | Review |
|
Bug 1690976 - Don't reveal error details for CORS-cross-origin decoding errors. r?bryce!,r?sstreich!
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
pascalc
:
approval-mozilla-esr78+
|
Details | Review |
|
292 bytes,
text/plain
|
Details |
Similarly to bug 1450853, but while decoding instead of loading -- and setting the error through this path. I don't think this could leak any response status, but it can leak information about the content of the media resource. Things like this or this.
+++ This bug was initially created as a clone of Bug #1450853 +++
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180208173149
Steps to reproduce:
1- Visit: https://output.jsbin.com/nejatopusi
2- Enter a URL in the input box, click the "Test" button
The URL will be loaded as the src of an audio element.
Actual results:
The message property of the MediaError interface contains a different string for resources that loads successfully. This allows an attacker to infer the response status for a cross-origin resource.
Expected results:
Cross-origin response status should not be detectable by scripts unless necessary CORS headers are sent by the server.
|
Assignee | |
Comment 1•3 years ago
|
||
|
|
Assignee | |
Comment 2•3 years ago
|
||
|
||
Comment 3•3 years ago
|
||
Landed:
https://hg.mozilla.org/integration/autoland/rev/ff2dd7ee09b6281c248b046757c69dab70bb77e7
https://hg.mozilla.org/integration/autoland/rev/d119750e84691214a66216a053cb4a69209d0a2a
Backed out for failing modified test_decode_error_crossorigin.html:
https://hg.mozilla.org/integration/autoland/rev/283cfdca9a408ba3ac2e1c8b458e40eb1937d594
Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel%2Crunnable&revision=d119750e84691214a66216a053cb4a69209d0a2a
Failure log: https://treeherder.mozilla.org/logviewer?job_id=329195723&repo=autoland
[task 2021-02-08T09:37:13.402Z] 09:37:13 INFO - TEST-PASS | dom/media/test/test_decode_error_crossorigin.html | At least one test led to src-not-supported
[task 2021-02-08T09:37:13.402Z] 09:37:13 INFO - Buffered messages finished
[task 2021-02-08T09:37:13.404Z] 09:37:13 INFO - TEST-UNEXPECTED-FAIL | dom/media/test/test_decode_error_crossorigin.html | At least one test led to a decode error
[task 2021-02-08T09:37:13.405Z] 09:37:13 INFO - SimpleTest.ok@SimpleTest/SimpleTest.js:417:16
[task 2021-02-08T09:37:13.405Z] 09:37:13 INFO - manager.onFinished@dom/media/test/test_decode_error_crossorigin.html:62:7
[task 2021-02-08T09:37:13.406Z] 09:37:13 INFO - MediaTestManager/this.nextTest@dom/media/test/manifest.js:2201:14
[task 2021-02-08T09:37:13.406Z] 09:37:13 INFO - MediaTestManager/this.finished@dom/media/test/manifest.js:2162:12
[task 2021-02-08T09:37:13.407Z] 09:37:13 INFO - startTest/<@dom/media/test/test_decode_error_crossorigin.html:36:13
|
|
||
Comment 4•3 years ago
|
||
Landed:
https://hg.mozilla.org/integration/autoland/rev/c6c868eaf91531c82873e67950d457313d47d1f1
https://hg.mozilla.org/integration/autoland/rev/ed0ab9078607e373de6cc25ff31c28fc1c0e0120
Backed out for linting failure:
https://hg.mozilla.org/integration/autoland/rev/a83f064d141bd883af8a97d0d1a4cdfe3eee6967
Failure log: https://treeherder.mozilla.org/logviewer?job_id=329206209&repo=autoland
TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/dom/media/test/test_decode_error_crossorigin.html:17:9 | 'ok' is assigned a value but never used. (no-unused-vars)
|
|
||
Comment 5•3 years ago
|
||
Add a mochitest checking that third-party ERR_DECODE messages are defaulted. r=bryce
https://hg.mozilla.org/integration/autoland/rev/6c6ddcf74d79a7429dfaa315673174399b51bc4a
Don't reveal error details for CORS-cross-origin decoding errors. r=sstreich,bryce
https://hg.mozilla.org/integration/autoland/rev/7c861a1895759bd3878692c4e01f17a9b1a6847b
https://hg.mozilla.org/mozilla-central/rev/6c6ddcf74d79
https://hg.mozilla.org/mozilla-central/rev/7c861a189575
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
Comment on attachment 9201357 [details]
Bug 1690976 - Don't reveal error details for CORS-cross-origin decoding errors. r?bryce!,r?sstreich!
Beta/Release Uplift Approval Request
- User impact if declined: An adversary could figure out certain details about a media file on a third-party origin if we are able to load it but during playback exhibit an error.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This simply adds a case where we change the message component of an error to a default string. No threading changes, no lifetime changes.
- String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: An adversary could figure out certain details about a media file on a third-party origin if we are able to load it but during playback exhibit an error.
- Fix Landed on Version: 87
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This simply adds a case where we change the message component of an error to a default string. No threading changes, no lifetime changes.
- String or UUID changes made by this patch:
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 7•3 years ago
|
||
Comment on attachment 9201357 [details]
Bug 1690976 - Don't reveal error details for CORS-cross-origin decoding errors. r?bryce!,r?sstreich!
Approved for beta and esr, thanks.
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 8•3 years ago
|
||
| uplift | ||
|
||
Comment 9•3 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr78/rev/3d7ae36fd0f1
https://hg.mozilla.org/releases/mozilla-esr78/rev/ad344d451325
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 10•3 years ago
|
||
|
|
||
Updated•3 years ago
|
|
||
Updated•2 years ago
|
Description
•