Closed Bug 1947672 Opened 12 days ago Closed 10 days ago

Enabling Trusted Types causes issues with Picture-in-Picture on www.youtube.com

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 135
Platform:
Desktop
Unspecified
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
137 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox135 --- disabled
firefox136 --- disabled
firefox137 --- fixed

People

(Reporter: celenity, Assigned: tschuster)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression)

Attachments

(2 files)

pip.jpeg
273.54 KB, image/jpeg
Details
Bug 1947672 - Make PiP bypass trusted types when using the DOMParser. r?smaug!,mconley!
48 bytes, text/x-phabricator-request
Details | Review
Attached image pip.jpeg

Steps to reproduce:

  1. Set dom.security.trusted_types.enabled to true (via your about:config or otherwise...)

  2. Navigate to https://www.youtube.com, find and play a video, it doesn't matter what.

  3. Activate Picture-in-Picture via the icon on the top right of the URL bar.

Actual results:

The video pops out with PiP, but also still continues playing on the https://www.youtube.com tab.

Expected results:

Video playback should stop on the https://www.youtube.com tab when PiP is active, just like it does when Trusted Types is disabled.

Blocks: trusted-types
Hardware: Unspecified → Desktop

This is a great report. Thank you!

The problem must be the following:

TypeError: DOMParser.parseFromString: Sink type mismatch violation blocked by CSP
  generateContent chrome://global/content/elements/videocontrols.js:3304
  onsetup chrome://global/content/elements/videocontrols.js:3163

Our PiP code seems to be trying to parse a string using a content based DOMParser that is blocked by the Trusted Types policy set up by YouTube. We probably could/should either bypass the policy somehow (Using [NeedsCallerType] on parseFromString ?) or stop parsing in that context.

Status: UNCONFIRMED → NEW
status-firefox135: --- → disabled
status-firefox136: --- → disabled
status-firefox137: --- → disabled
Ever confirmed: true
Keywords: regression
Regressed by: 1931282

Set release status flags based on info from the regressing bug 1931282

:fredw, since you are the author of the regressor, bug 1931282, could you take a look?

For more information, please visit BugBot documentation.

status-firefox-esr128: --- → unaffected
Flags: needinfo?(fwang)

Bug is in PIP not TT

Flags: needinfo?(fwang)

Is the JS global of the PiP code not a Window? If so maybe, the patch from bug 1942517 helps? Otherwise, the PiP code will probably need to wrap the parameters into a trusted type to bypass the default policy check...

Assignee: nobody → tschuster
Status: NEW → ASSIGNED
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9443fe4932fd Make PiP bypass trusted types when using the DOMParser. r=smaug,pip-reviewers,mconley

https://hg.mozilla.org/mozilla-central/rev/9443fe4932fd

Status: ASSIGNED → RESOLVED
Closed: 10 days ago
Resolution: --- → FIXED
Target Milestone: --- → 137 Branch
Blocks: 1948227
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: