Simple CORS Video WebGL texture fails security check

RESOLVED INVALID

Status

()

Core
Canvas: WebGL
RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: bjacob, Unassigned)

Tracking

Trunk
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: webgl-conformance, URL)

Here's a simple WebGL CORS video testcase:

  http://people.mozilla.org/~bjacob/video-cors.html

It fails the security check.

That's weird as the webm file is really served with CORS headers. Can't easily check them in Firefox due to bug 837152 but in Chromium I get (see "Access-Control-Allow-Origin: *" in the response):

Request Headers
GET /threejs/three.js/examples/textures/kinect.webm HTTP/1.1
Host: kammerl.de
Connection: keep-alive
Accept-Encoding: identity;q=1, *;q=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chrome/20.0.1132.47 Safari/536.11
Accept: */*
Referer: http://people.mozilla.org/~bjacob/video-cors.html
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Range: bytes=0-

Response Headers
HTTP/1.1 206 Partial Content
Date: Fri, 01 Feb 2013 17:14:59 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Mon, 07 Jan 2013 03:28:53 GMT
ETag: "8d83a6-3d6878-4d2aa6db3d0fa"
Accept-Ranges: bytes
Content-Length: 4024440
Access-Control-Allow-Origin: *
Content-Range: bytes 0-4024439/4024440
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: video/webm


What might (not sure) be weird looking at these headers though is that the request header doesn't have an Origin header.
(Reporter)

Updated

4 years ago
Summary: Simple CORS Video WebGL texture fails to pass security check → Simple CORS Video WebGL texture fails security check
(Reporter)

Comment 1

4 years ago
Note: Chrome gives a security exception too, but that might just be because it doesn't support WebGL cross-origin video textures yet (??)
change

video.crossOrigin = '';

to

video.crossorigin = '';
(Reporter)

Comment 3

4 years ago
That works!!!

I thought I had tried that! Thanks, and sorry.

Note: the testcase still gives a NS_ERROR_FAILURE the first time as the first call to nsLayoutUtils::SurfaceFromElement returns no surface. I suppose that means that image data is not yet available; weird as we do that in the canplay handler, but whatever.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
(Reporter)

Comment 4

4 years ago
...and indeed, our unit tests have .crossorigin all lowercase.
(Reporter)

Comment 5

4 years ago
Emailed public_webgl about the remaining NS_ERROR_FAILURE. As a work-around for now you could put a try{...} around that texImage2D call.

Comment 6

4 years ago
According to the HTML spec, the IDL attribute for the 'crossorigin' content attribute should be called 'crossOrigin'.

http://dev.w3.org/html5/spec-preview/media-elements.html#attr-media-crossorigin
You need to log in before you can comment on or make changes to this bug.