Bug 154188

Summary: [Mac] CORS-compliant videos throw security errors when painting to Canvas
Product: WebKit Reporter: Jer Noble <jer.noble>
Component: New BugsAssignee: Jer Noble <jer.noble>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch achristensen: review+

Description Jer Noble 2016-02-12 12:57:03 PST
[Mac] CORS-compliant videos throw security errors when painting to Canvas
Comment 1 Jer Noble 2016-02-12 14:18:42 PST
Created attachment 271224 [details]
Patch
Comment 2 Eric Carlson 2016-02-13 12:28:32 PST
Comment on attachment 271224 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=271224&action=review

> Source/WebCore/ChangeLog:4
> +        [Mac] CORS-compliant videos throw security errors when painting to Canvas
> +        https://bugs.webkit.org/show_bug.cgi?id=154188

Please include the Radar number for posterity.

> Source/WebCore/ChangeLog:9
> +        Reviewed by NOBODY (OOPS!).
> +
> +        Pass the CORS access check results from WebCoreNSURLSession to it's client,
> +        MediaPlayerPrivateAVFoundationObjC.

This should really have a test.

> Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.h:52
> +    Unknown,

Nit: Instead of including this unused value, can you make "Fail" zero?
Comment 3 Alex Christensen 2016-02-15 11:05:26 PST
Comment on attachment 271224 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=271224&action=review

>> Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.h:52
>> +    Unknown,
> 
> Nit: Instead of including this unused value, can you make "Fail" zero?

This value is used, right?  Could you explicitly initialize the value to Unknown?

> Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm:167
> +    return _corsResults == WebCoreNSURLSessionCORSAccessCheckResults::Pass;

ASSERT(_corsResults != WebCoreNSURLSessionCORSAccessCheckResults::Fail) before this.
Comment 4 Jer Noble 2016-02-15 12:39:23 PST
(In reply to comment #2)
> Comment on attachment 271224 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=271224&action=review
> 
> > Source/WebCore/ChangeLog:4
> > +        [Mac] CORS-compliant videos throw security errors when painting to Canvas
> > +        https://bugs.webkit.org/show_bug.cgi?id=154188
> 
> Please include the Radar number for posterity.

Ok.

> > Source/WebCore/ChangeLog:9
> > +        Reviewed by NOBODY (OOPS!).
> > +
> > +        Pass the CORS access check results from WebCoreNSURLSession to it's client,
> > +        MediaPlayerPrivateAVFoundationObjC.
> 
> This should really have a test.

Technically, there already are three tests in http/tests/security. We can't enable them because there are platform requirements to enable this feature.

> > Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.h:52
> > +    Unknown,
> 
> Nit: Instead of including this unused value, can you make "Fail" zero?

See below.

(In reply to comment #3)
> Comment on attachment 271224 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=271224&action=review
> 
> >> Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.h:52
> >> +    Unknown,
> > 
> > Nit: Instead of including this unused value, can you make "Fail" zero?
> 
> This value is used, right?  Could you explicitly initialize the value to
> Unknown?

Yes.

> > Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm:167
> > +    return _corsResults == WebCoreNSURLSessionCORSAccessCheckResults::Pass;
> 
> ASSERT(_corsResults != WebCoreNSURLSessionCORSAccessCheckResults::Fail)
> before this.

Ok.
Comment 5 Jer Noble 2016-02-19 10:23:51 PST
Enabling tests are covered by <https://bugs.webkit.org/show_bug.cgi?id=154462>.
Comment 6 Jer Noble 2016-02-19 10:24:07 PST
Created attachment 271763 [details]
Patch
Comment 7 Jer Noble 2016-02-19 10:25:10 PST
rdar://problem/22959556
Comment 8 WebKit Commit Bot 2016-02-19 10:26:05 PST
Attachment 271763 [details] did not pass style-queue:


ERROR: Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm:522:  Place brace on its own line for function definitions.  [whitespace/braces] [4]
Total errors found: 1 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 9 Jer Noble 2016-02-19 11:28:51 PST
Created attachment 271767 [details]
Patch
Comment 10 WebKit Commit Bot 2016-02-19 11:30:59 PST
Attachment 271767 [details] did not pass style-queue:


ERROR: Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm:524:  Place brace on its own line for function definitions.  [whitespace/braces] [4]
Total errors found: 1 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 11 Alex Christensen 2016-02-19 11:32:47 PST
Comment on attachment 271767 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=271767&action=review

> Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:2168
> +#if PLATFORM(IOS) || __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100

Should this be strictly greater than?
Comment 12 Jer Noble 2016-02-19 11:46:19 PST
Committed r196827: <http://trac.webkit.org/changeset/196827>