MP4 file served with Content-Security-Policy: sandbox doesn't play in Firefox when loaded as document
Categories
(Core :: Audio/Video: Playback, defect, P3)
Tracking
()
People
(Reporter: jrmuizel, Assigned: karlt)
References
(Regression, )
Details
(Keywords: regression, Whiteboard: [uplift needs changes from bug 1781759 first])
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-release+
RyanVM
:
approval-mozilla-esr102+
|
Details | Review |
It plays in Chrome. Downloading the video and playing it in Firefox using a file:// url works fine.
|
||
Updated•2 years ago
|
|
|
||
Comment 1•2 years ago
|
||
Possible dupe here - https://bugzilla.mozilla.org/show_bug.cgi?id=1780905
|
|
||
Comment 2•2 years ago
|
||
Regression window:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e15164d8b4c6de1bbb016649e32bd63797a7453a&tochange=56757e00ffb4fbea5c67b67d86d081949065dd6d
|
Reporter | |
Updated•2 years ago
|
|
|
Reporter | |
Updated•2 years ago
|
|
Assignee | |
Comment 3•2 years ago
|
||
Whether this reproduces depends on how fast the resource loads.
Reproduction is reliable when uncached, but the video reliably plays when cached.
With 56757e00ffb4fbea5c67b67d86d081949065dd6d backed out, the video plays even when not cached.
I'll investigate what is causing the differences.
|
|
Assignee | |
Comment 4•2 years ago
|
||
AFAIK this affects only toplevel video loads, not videos loaded from HTML.
e.g. data:text/html,<video controls src="https://user-images.githubusercontent.com/308347/180722666-15962825-02b8-4b8e-b3e1-a86dbfefa369.mp4"> is unaffected (plays fine even when not cached).
|
|
||
Comment 5•2 years ago
|
||
Mp4 video does not play even in iframe. See bug 1781759.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 6•2 years ago
|
||
Thanks. Yes, the relevant distinction is not toplevel vs HTML but video as a document vs HTMLMediaElement.
|
|
Assignee | |
Comment 7•2 years ago
|
||
"No Video with supported format and MIME type found" is shown but document.getElementsByTagName("video")[0].error.message is "NS_ERROR_CONTENT_BLOCKED (0x805e0006) - opaque and non-opaque responses".
|
|
Assignee | |
Comment 8•2 years ago
|
||
When the media resource is loaded as a document, the response from the initial
document load gets reused, as an optimization, as an emulated load for the
resource of the media host element in the generated HTML document.
https://searchfox.org/mozilla-central/rev/5644fae86d5122519a0e34ee03117c88c6ed9b47/dom/html/VideoDocument.cpp#114
https://html.spec.whatwg.org/multipage/browsing-the-web.html#read-media
Depends on D154041
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 10•2 years ago
|
||
Pushed by ktomlinson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7a729883695f don't use tainting for cross-origin check on document media resource loads r=chunmin
|
||
Comment 11•2 years ago
|
||
| bugherder | ||
|
||
Comment 12•2 years ago
|
||
The patch landed in nightly and beta is affected.
:karlt, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox105towontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 13•2 years ago
|
||
Comment on attachment 9288957 [details]
Bug 1781063 don't use tainting for cross-origin check on document media resource loads r?edenchuang
Beta/Release Uplift Approval Request
- User impact if declined: Some videos or audio do not play sometimes or always when loaded as a document, either toplevel or same-origin iframe, and served with Content-Security-Policy: sandbox.
This is affecting user-images.githubusercontent.com.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is small and affects only media loaded as a document, which is currently often refusing to play.
- String changes made/needed: None.
- Is Android affected?: Yes
|
||
Comment 14•2 years ago
|
||
Comment on attachment 9288957 [details]
Bug 1781063 don't use tainting for cross-origin check on document media resource loads r?edenchuang
Approved for 105.0b3. We should probably consider nominating this for release and ESR approval as well.
|
|
||
Comment 15•2 years ago
|
||
| bugherder uplift | ||
|
|
Assignee | |
Comment 16•2 years ago
|
||
[Tracking Requested - why for this release]:
Regression on 102 branch.
|
|
Assignee | |
Comment 17•2 years ago
|
||
Comment on attachment 9288957 [details]
Bug 1781063 don't use tainting for cross-origin check on document media resource loads r?edenchuang
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: This fixes a regression introduced in 102.
- User impact if declined: Videos or audio do not play sometimes or always when loaded as a document, either toplevel or same-origin iframe, and served with Content-Security-Policy: sandbox.
- Fix Landed on Version: 106 and uplifted to 105
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is small and affects only media loaded as a document, which is currently often refusing to play.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 18•2 years ago
|
||
Comment on attachment 9288957 [details]
Bug 1781063 don't use tainting for cross-origin check on document media resource loads r?edenchuang
Beta/Release Uplift Approval Request
- User impact if declined: Videos or audio do not play sometimes or always when loaded as a document, either toplevel or same-origin iframe, and served with Content-Security-Policy: sandbox.
The only affected site that I am aware of is user-images.githubusercontent.com.
Bug 1781759 seems to be affecting more sites.
I think there is a stronger case for uplifting the fix for bug 1781759, but the changes here are closely related. The fix for bug 1781759 may be slightly safer when this patch is taken with it because this is the configuration that has some Nightly exposure.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: Bug 1781759
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is small and affects only media loaded as a document, which is currently often refusing to play.
The automated test for this needs changes for bug 1783601, which are not intended for uplift.
- String changes made/needed: None.
- Is Android affected?: Yes
|
|
||
Updated•2 years ago
|
|
|
||
Comment 19•2 years ago
|
||
Comment on attachment 9288957 [details]
Bug 1781063 don't use tainting for cross-origin check on document media resource loads r?edenchuang
Approved for 102.3esr.
|
|
||
Comment 20•2 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 22•2 years ago
|
||
Comment on attachment 9288957 [details]
Bug 1781063 don't use tainting for cross-origin check on document media resource loads r?edenchuang
Approved for 104.0.2
|
|
||
Comment 23•2 years ago
|
||
| bugherder uplift | ||
|
||
Updated•2 years ago
|
|
||
Comment 24•2 years ago
|
||
I have verified the fix using Firefox Nightly 106.0a1 (20220904213226), Firefox Beta 105.0b7 (20220904185841), Firefox 104.0.2 (20220901135416) and Firefox 102.2.0esr (20220818165803)
Description
•