- Revision
- 236961
- Author
- ph...@webkit.org
- Date
- 2018-10-09 08:10:17 -0700 (Tue, 09 Oct 2018)
Log Message
[GStreamer] Stealing cross-origin video pixel with HLS
https://bugs.webkit.org/show_bug.cgi?id=190003
Reviewed by Xabier Rodriguez-Calvar.
Source/WebCore:
Report the SecurityOrigin of downloaded adaptivedemux (HLS, DASH,
SmoothStreaming) fragments as tainted if their origin differs from
the manifest SecurityOrigin. SecurityOrigins are stored in the
CachedResourceStreamingClient implemented in the internal
GStreamer HTTP(S) source element.
The implementation is not ideal yet because the fragments download
is performed by the WebProcess, until bug 189967 is fixed. When
this bug is fixed, the m_hasTaintedOrigin member variable should
be removed and all checks be done unconditionally to the
webkithttpsrc element which will manage the download of the
manifests and fragments.
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
(WebCore::MediaPlayerPrivateGStreamer::loadFull): Reset the m_hasTaintedOrigin value.
(WebCore::MediaPlayerPrivateGStreamer::handleMessage): Get the
fragment URL from the adaptivedemux stats message and check if its
origin is tainted.
(WebCore::MediaPlayerPrivateGStreamer::wouldTaintOrigin const):
Initial implementation by checking the m_hasTaintedOrigin member
variable value.
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:
* platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:
(CachedResourceStreamingClient::responseReceived): Store the
resource origin internally so it can be checked later on by
webKitSrtcWouldTaintOrigin().
(webKitSrcWouldTaintOrigin): Check given origin against cached
origins. This implementation is similar to Cocoa's
WebCoreNSURLSession implementation.
* platform/graphics/gstreamer/WebKitWebSourceGStreamer.h:
LayoutTests:
* platform/gtk/TestExpectations: Unflag now-passing test.
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (236960 => 236961)
--- trunk/LayoutTests/ChangeLog 2018-10-09 13:54:57 UTC (rev 236960)
+++ trunk/LayoutTests/ChangeLog 2018-10-09 15:10:17 UTC (rev 236961)
@@ -1,3 +1,12 @@
+2018-10-09 Philippe Normand <pnorm...@igalia.com>
+
+ [GStreamer] Stealing cross-origin video pixel with HLS
+ https://bugs.webkit.org/show_bug.cgi?id=190003
+
+ Reviewed by Xabier Rodriguez-Calvar.
+
+ * platform/gtk/TestExpectations: Unflag now-passing test.
+
2018-10-08 Devin Rousso <drou...@apple.com>
Fix inspector/canvas/recording.html after r236952
Modified: trunk/LayoutTests/platform/gtk/TestExpectations (236960 => 236961)
--- trunk/LayoutTests/platform/gtk/TestExpectations 2018-10-09 13:54:57 UTC (rev 236960)
+++ trunk/LayoutTests/platform/gtk/TestExpectations 2018-10-09 15:10:17 UTC (rev 236961)
@@ -3495,7 +3495,6 @@
webkit.org/b/187770 media/no-fullscreen-when-hidden.html [ Failure ]
webkit.org/b/187994 compositing/backing/backing-store-attachment-fill-forwards-animation.html [ Failure ]
-webkit.org/b/187996 http/tests/security/canvas-remote-read-remote-video-hls.html [ Failure ]
webkit.org/b/188098 webanimations/accelerated-animation-with-delay.html [ ImageOnlyFailure ]
Modified: trunk/Source/WebCore/ChangeLog (236960 => 236961)
--- trunk/Source/WebCore/ChangeLog 2018-10-09 13:54:57 UTC (rev 236960)
+++ trunk/Source/WebCore/ChangeLog 2018-10-09 15:10:17 UTC (rev 236961)
@@ -1,3 +1,41 @@
+2018-10-09 Philippe Normand <pnorm...@igalia.com>
+
+ [GStreamer] Stealing cross-origin video pixel with HLS
+ https://bugs.webkit.org/show_bug.cgi?id=190003
+
+ Reviewed by Xabier Rodriguez-Calvar.
+
+ Report the SecurityOrigin of downloaded adaptivedemux (HLS, DASH,
+ SmoothStreaming) fragments as tainted if their origin differs from
+ the manifest SecurityOrigin. SecurityOrigins are stored in the
+ CachedResourceStreamingClient implemented in the internal
+ GStreamer HTTP(S) source element.
+
+ The implementation is not ideal yet because the fragments download
+ is performed by the WebProcess, until bug 189967 is fixed. When
+ this bug is fixed, the m_hasTaintedOrigin member variable should
+ be removed and all checks be done unconditionally to the
+ webkithttpsrc element which will manage the download of the
+ manifests and fragments.
+
+ * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
+ (WebCore::MediaPlayerPrivateGStreamer::loadFull): Reset the m_hasTaintedOrigin value.
+ (WebCore::MediaPlayerPrivateGStreamer::handleMessage): Get the
+ fragment URL from the adaptivedemux stats message and check if its
+ origin is tainted.
+ (WebCore::MediaPlayerPrivateGStreamer::wouldTaintOrigin const):
+ Initial implementation by checking the m_hasTaintedOrigin member
+ variable value.
+ * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:
+ * platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:
+ (CachedResourceStreamingClient::responseReceived): Store the
+ resource origin internally so it can be checked later on by
+ webKitSrtcWouldTaintOrigin().
+ (webKitSrcWouldTaintOrigin): Check given origin against cached
+ origins. This implementation is similar to Cocoa's
+ WebCoreNSURLSession implementation.
+ * platform/graphics/gstreamer/WebKitWebSourceGStreamer.h:
+
2018-10-09 Antti Koivisto <an...@apple.com>
Prewarm FontDatabase on process swap
Modified: trunk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp (236960 => 236961)
--- trunk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp 2018-10-09 13:54:57 UTC (rev 236960)
+++ trunk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp 2018-10-09 15:10:17 UTC (rev 236961)
@@ -289,6 +289,7 @@
m_player->readyStateChanged();
m_volumeAndMuteInitialized = false;
m_durationAtEOS = MediaTime::invalidTime();
+ m_hasTaintedOrigin = std::nullopt;
if (!m_delayingLoad)
commitLoad();
@@ -1329,6 +1330,10 @@
}
gst_structure_free(responseHeaders);
}
+ } else if (gst_structure_has_name(structure, "adaptive-streaming-statistics")) {
+ if (WEBKIT_IS_WEB_SRC(m_source.get()))
+ if (const char* uri = gst_structure_get_string(structure, "uri"))
+ m_hasTaintedOrigin = webKitSrcWouldTaintOrigin(WEBKIT_WEB_SRC(m_source.get()), SecurityOrigin::create(URL(URL(), uri)));
} else
GST_DEBUG("Unhandled element message: %" GST_PTR_FORMAT, structure);
break;
@@ -2648,6 +2653,17 @@
return false;
}
+std::optional<bool> MediaPlayerPrivateGStreamer::wouldTaintOrigin(const SecurityOrigin&) const
+{
+ // Ideally the given origin should always be verified with
+ // webKitSrcWouldTaintOrigin() instead of only checking it for
+ // adaptive-streaming-statistics. We can't do this yet because HLS fragments
+ // are currently downloaded independently from WebKit.
+ // See also https://bugs.webkit.org/show_bug.cgi?id=189967.
+ return m_hasTaintedOrigin;
}
+
+}
+
#endif // USE(GSTREAMER)
Modified: trunk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h (236960 => 236961)
--- trunk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h 2018-10-09 13:54:57 UTC (rev 236960)
+++ trunk/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h 2018-10-09 15:10:17 UTC (rev 236961)
@@ -109,6 +109,7 @@
MediaTime maxTimeLoaded() const override;
bool hasSingleSecurityOrigin() const override;
+ std::optional<bool> wouldTaintOrigin(const SecurityOrigin&) const override;
void loadStateChanged();
void timeChanged();
@@ -286,6 +287,8 @@
#endif
#endif
virtual bool isMediaSource() const { return false; }
+
+ std::optional<bool> m_hasTaintedOrigin { std::nullopt };
};
}
Modified: trunk/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp (236960 => 236961)
--- trunk/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp 2018-10-09 13:54:57 UTC (rev 236960)
+++ trunk/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp 2018-10-09 15:10:17 UTC (rev 236961)
@@ -30,6 +30,7 @@
#include "ResourceError.h"
#include "ResourceRequest.h"
#include "ResourceResponse.h"
+#include "SecurityOrigin.h"
#include <cstdint>
#include <gst/app/gstappsrc.h>
#include <gst/pbutils/missing-plugins.h>
@@ -42,6 +43,9 @@
public:
CachedResourceStreamingClient(WebKitWebSrc*, ResourceRequest&&);
virtual ~CachedResourceStreamingClient();
+
+ const HashSet<RefPtr<WebCore::SecurityOrigin>>& securityOrigins() const { return m_origins; }
+
private:
void checkUpdateBlocksize(uint64_t bytesRead);
@@ -63,6 +67,7 @@
GRefPtr<GstElement> m_src;
ResourceRequest m_request;
+ HashSet<RefPtr<WebCore::SecurityOrigin>> m_origins;
};
enum MainThreadSourceNotification {
@@ -788,6 +793,9 @@
GST_DEBUG_OBJECT(src, "Received response: %d", response.httpStatusCode());
+ auto origin = SecurityOrigin::create(response.url());
+ m_origins.add(WTFMove(origin));
+
auto responseURI = response.url().string().utf8();
if (priv->originalURI != responseURI)
priv->redirectedURI = WTFMove(responseURI);
@@ -994,4 +1002,16 @@
gst_app_src_end_of_stream(priv->appsrc);
}
+bool webKitSrcWouldTaintOrigin(WebKitWebSrc* src, const SecurityOrigin& origin)
+{
+ WebKitWebSrcPrivate* priv = src->priv;
+
+ auto* cachedResourceStreamingClient = reinterpret_cast<CachedResourceStreamingClient*>(priv->resource->client());
+ for (auto& responseOrigin : cachedResourceStreamingClient->securityOrigins()) {
+ if (!origin.canAccess(*responseOrigin))
+ return true;
+ }
+ return false;
+}
+
#endif // ENABLE(VIDEO) && USE(GSTREAMER)
Modified: trunk/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.h (236960 => 236961)
--- trunk/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.h 2018-10-09 13:54:57 UTC (rev 236960)
+++ trunk/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.h 2018-10-09 15:10:17 UTC (rev 236961)
@@ -24,6 +24,7 @@
namespace WebCore {
class MediaPlayer;
+class SecurityOrigin;
}
G_BEGIN_DECLS
@@ -51,6 +52,7 @@
GType webkit_web_src_get_type(void);
void webKitWebSrcSetMediaPlayer(WebKitWebSrc*, WebCore::MediaPlayer*);
bool webKitSrcPassedCORSAccessCheck(WebKitWebSrc*);
+bool webKitSrcWouldTaintOrigin(WebKitWebSrc*, const WebCore::SecurityOrigin&);
G_END_DECLS
