Last Comment Bug 837153 - Simple CORS Video WebGL texture fails security check
: Simple CORS Video WebGL texture fails security check
Product: Core
Classification: Components
Component: Canvas: WebGL (show other bugs)
: Trunk
: x86_64 Linux
-- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Milan Sreckovic [:milan]
Depends on: 837152
Blocks: 682299
  Show dependency treegraph
Reported: 2013-02-01 09:20 PST by Benoit Jacob [:bjacob] (mostly away)
Modified: 2013-02-05 12:52 PST (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Benoit Jacob [:bjacob] (mostly away) 2013-02-01 09:20:46 PST
Here's a simple WebGL CORS video testcase:

It fails the security check.

That's weird as the webm file is really served with CORS headers. Can't easily check them in Firefox due to bug 837152 but in Chromium I get (see "Access-Control-Allow-Origin: *" in the response):

Request Headers
GET /threejs/three.js/examples/textures/kinect.webm HTTP/1.1
Connection: keep-alive
Accept-Encoding: identity;q=1, *;q=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chrome/20.0.1132.47 Safari/536.11
Accept: */*
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Range: bytes=0-

Response Headers
HTTP/1.1 206 Partial Content
Date: Fri, 01 Feb 2013 17:14:59 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Mon, 07 Jan 2013 03:28:53 GMT
ETag: "8d83a6-3d6878-4d2aa6db3d0fa"
Accept-Ranges: bytes
Content-Length: 4024440
Access-Control-Allow-Origin: *
Content-Range: bytes 0-4024439/4024440
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: video/webm

What might (not sure) be weird looking at these headers though is that the request header doesn't have an Origin header.
Comment 1 User image Benoit Jacob [:bjacob] (mostly away) 2013-02-01 09:26:43 PST
Note: Chrome gives a security exception too, but that might just be because it doesn't support WebGL cross-origin video textures yet (??)
Comment 2 User image Jonas Sicking (:sicking) No longer reading bugmail consistently 2013-02-02 03:30:23 PST

video.crossOrigin = '';


video.crossorigin = '';
Comment 3 User image Benoit Jacob [:bjacob] (mostly away) 2013-02-02 07:22:33 PST
That works!!!

I thought I had tried that! Thanks, and sorry.

Note: the testcase still gives a NS_ERROR_FAILURE the first time as the first call to nsLayoutUtils::SurfaceFromElement returns no surface. I suppose that means that image data is not yet available; weird as we do that in the canplay handler, but whatever.
Comment 4 User image Benoit Jacob [:bjacob] (mostly away) 2013-02-02 07:23:32 PST
...and indeed, our unit tests have .crossorigin all lowercase.
Comment 5 User image Benoit Jacob [:bjacob] (mostly away) 2013-02-02 07:35:54 PST
Emailed public_webgl about the remaining NS_ERROR_FAILURE. As a work-around for now you could put a try{...} around that texImage2D call.
Comment 6 User image dgossow 2013-02-05 12:52:44 PST
According to the HTML spec, the IDL attribute for the 'crossorigin' content attribute should be called 'crossOrigin'.

Note You need to log in before you can comment on or make changes to this bug.