Bug 154188

Summary: [Mac] CORS-compliant videos throw security errors when painting to Canvas
Product: WebKit Reporter: Jer Noble <jer.noble>
Component: New BugsAssignee: Jer Noble <jer.noble>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch achristensen: review+

Jer Noble
Reported 2016-02-12 12:57:03 PST
[Mac] CORS-compliant videos throw security errors when painting to Canvas
Attachments
Patch (7.27 KB, patch)
2016-02-12 14:18 PST, Jer Noble 		no flags
DetailsFormatted DiffDiff
Patch (12.92 KB, patch)
2016-02-19 10:24 PST, Jer Noble 		no flags
DetailsFormatted DiffDiff
Patch (13.42 KB, patch)
2016-02-19 11:28 PST, Jer Noble 		achristensen: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Jer Noble
Comment 1 2016-02-12 14:18:42 PST
Created attachment 271224 [details] Patch
Eric Carlson
Comment 2 2016-02-13 12:28:32 PST
Comment on attachment 271224 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=271224&action=review > Source/WebCore/ChangeLog:4 > + [Mac] CORS-compliant videos throw security errors when painting to Canvas > + https://bugs.webkit.org/show_bug.cgi?id=154188 Please include the Radar number for posterity. > Source/WebCore/ChangeLog:9 > + Reviewed by NOBODY (OOPS!). > + > + Pass the CORS access check results from WebCoreNSURLSession to it's client, > + MediaPlayerPrivateAVFoundationObjC. This should really have a test. > Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.h:52 > + Unknown, Nit: Instead of including this unused value, can you make "Fail" zero?
Alex Christensen
Comment 3 2016-02-15 11:05:26 PST
Comment on attachment 271224 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=271224&action=review >> Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.h:52 >> + Unknown, > > Nit: Instead of including this unused value, can you make "Fail" zero? This value is used, right? Could you explicitly initialize the value to Unknown? > Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm:167 > + return _corsResults == WebCoreNSURLSessionCORSAccessCheckResults::Pass; ASSERT(_corsResults != WebCoreNSURLSessionCORSAccessCheckResults::Fail) before this.
Jer Noble
Comment 4 2016-02-15 12:39:23 PST
(In reply to comment #2) > Comment on attachment 271224 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=271224&action=review > > > Source/WebCore/ChangeLog:4 > > + [Mac] CORS-compliant videos throw security errors when painting to Canvas > > + https://bugs.webkit.org/show_bug.cgi?id=154188 > > Please include the Radar number for posterity. Ok. > > Source/WebCore/ChangeLog:9 > > + Reviewed by NOBODY (OOPS!). > > + > > + Pass the CORS access check results from WebCoreNSURLSession to it's client, > > + MediaPlayerPrivateAVFoundationObjC. > > This should really have a test. Technically, there already are three tests in http/tests/security. We can't enable them because there are platform requirements to enable this feature. > > Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.h:52 > > + Unknown, > > Nit: Instead of including this unused value, can you make "Fail" zero? See below. (In reply to comment #3) > Comment on attachment 271224 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=271224&action=review > > >> Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.h:52 > >> + Unknown, > > > > Nit: Instead of including this unused value, can you make "Fail" zero? > > This value is used, right? Could you explicitly initialize the value to > Unknown? Yes. > > Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm:167 > > + return _corsResults == WebCoreNSURLSessionCORSAccessCheckResults::Pass; > > ASSERT(_corsResults != WebCoreNSURLSessionCORSAccessCheckResults::Fail) > before this. Ok.
Jer Noble
Comment 5 2016-02-19 10:23:51 PST
Enabling tests are covered by <https://bugs.webkit.org/show_bug.cgi?id=154462>.
Jer Noble
Comment 6 2016-02-19 10:24:07 PST
Created attachment 271763 [details] Patch
Jer Noble
Comment 7 2016-02-19 10:25:10 PST
rdar://problem/22959556
WebKit Commit Bot
Comment 8 2016-02-19 10:26:05 PST
Attachment 271763 [details] did not pass style-queue: ERROR: Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm:522: Place brace on its own line for function definitions. [whitespace/braces] [4] Total errors found: 1 in 5 files If any of these errors are false positives, please file a bug against check-webkit-style.
Jer Noble
Comment 9 2016-02-19 11:28:51 PST
Created attachment 271767 [details] Patch
WebKit Commit Bot
Comment 10 2016-02-19 11:30:59 PST
Attachment 271767 [details] did not pass style-queue: ERROR: Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm:524: Place brace on its own line for function definitions. [whitespace/braces] [4] Total errors found: 1 in 5 files If any of these errors are false positives, please file a bug against check-webkit-style.
Alex Christensen
Comment 11 2016-02-19 11:32:47 PST
Comment on attachment 271767 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=271767&action=review > Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:2168 > +#if PLATFORM(IOS) || __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100 Should this be strictly greater than?
Jer Noble
Comment 12 2016-02-19 11:46:19 PST
Committed r196827: <http://trac.webkit.org/changeset/196827>
Note You need to log in before you can comment on or make changes to this bug.