Bug 222130

Summary:

hasBrokenEncryptedMediaAPISupportQuirk and needsPreloadAutoQuirk have overly permissive domain allow lists

Product:

WebKit

Reporter:

Rich Dougherty <rich>

Component:

Media

Assignee:

Eric Carlson <eric.carlson>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

christian.n.klein, darin, eric.carlson, jer.noble, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=190051
https://bugs.webkit.org/show_bug.cgi?id=235015

Attachments:

Description	Flags
Patch	none
Patch	none
Followup to fix typo	none

Rich Dougherty

Reported 2021-02-18 13:37:58 PST

The hasBrokenEncryptedMediaAPISupportQuirk enables quirks behaviour for several whitelisted domains. The rule to allow subdomains of hulu.com appears to be missing a "." so it would also allow sites like "notreallyhulu.com" as well as genuine subdomains. In other words, the check 'domain.endsWith("hulu.com")' should probably be 'domain.endsWith(".hulu.com")'. This would bring it in line with rules for the other domains. See: https://github.com/WebKit/WebKit/blob/4e8064a058644469e9312abdb736c4164c848e71/Source/WebCore/page/Quirks.cpp#L187

Attachments
Patch (1.92 KB, patch) 2022-01-10 09:58 PST, Eric Carlson	no flags	Details Formatted Diff Diff
Patch (2.48 KB, patch) 2022-01-10 10:52 PST, Eric Carlson	no flags	Details Formatted Diff Diff
Followup to fix typo (1.41 KB, patch) 2022-01-10 15:09 PST, Eric Carlson	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Rich Dougherty

Comment 1 2021-02-18 13:43:27 PST

needsPreloadAutoQuirk appears to have the same issue with the vimeo.com domain https://github.com/WebKit/WebKit/blob/4e8064a058644469e9312abdb736c4164c848e71/Source/WebCore/page/Quirks.cpp#L767 Credit: - https://news.ycombinator.com/item?id=26166497 - https://twitter.com/mikesherov/status/1208025766832803841

Radar WebKit Bug Importer

Comment 2 2021-02-25 13:38:12 PST

<rdar://problem/74758560>

Eric Carlson

Comment 3 2022-01-10 09:58:45 PST

Created attachment 448763 [details] Patch

Eric Carlson

Comment 4 2022-01-10 10:01:34 PST

*** Bug 235015 has been marked as a duplicate of this bug. ***

Eric Carlson

Comment 5 2022-01-10 10:52:46 PST

Created attachment 448775 [details] Patch

EWS

Comment 6 2022-01-10 13:55:19 PST

Committed r287855 (245901@main): <https://commits.webkit.org/245901@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 448775 [details].

Darin Adler

Comment 7 2022-01-10 14:08:03 PST

Comment on attachment 448775 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=448775&action=review > Source/WebCore/page/Quirks.cpp:820 > + m_needsPreloadAutoQuirk = domain == "vimeo"_s; This should be "vimeo.com", right?

Eric Carlson

Comment 8 2022-01-10 15:03:11 PST

Comment on attachment 448775 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=448775&action=review >> Source/WebCore/page/Quirks.cpp:820 >> + m_needsPreloadAutoQuirk = domain == "vimeo"_s; > > This should be "vimeo.com", right? It certainly should!

Eric Carlson

Comment 9 2022-01-10 15:09:32 PST

Reopening to attach new patch.

Eric Carlson

Comment 10 2022-01-10 15:09:33 PST

Created attachment 448803 [details] Followup to fix typo

EWS

Comment 11 2022-01-10 15:43:44 PST

Committed r287862 (245906@main): <https://commits.webkit.org/245906@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 448803 [details].

Note You need to log in before you can comment on or make changes to this bug.