Bug 173457 - Consider allow gUM to be called from localhost without https
Summary: Consider allow gUM to be called from localhost without https
Status: ASSIGNED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Media (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Eric Carlson
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-06-15 22:58 PDT by Jon Lee
Modified: 2017-11-14 07:03 PST (History)
10 users (show)

See Also:


Attachments
Proposed patch. (4.80 KB, patch)
2017-08-14 14:18 PDT, Eric Carlson
no flags Details | Formatted Diff | Diff
Patch for landing. (10.85 KB, patch)
2017-08-15 13:17 PDT, Eric Carlson
commit-queue: commit-queue-
Details | Formatted Diff | Diff
Rebased patch. (10.87 KB, patch)
2017-08-15 14:56 PDT, Eric Carlson
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 David Zulaica 2017-06-22 20:21:32 PDT
getUserMedia is also not available with the file:/// protocol.
Comment 2 Eric Carlson 2017-08-14 14:18:07 PDT
Note that it is possible to enable/disable gUM on insecure sites with the Safari Develop menu. See https://webkit.org/blog/7763/a-closer-look-into-webrtc for details.
Comment 3 Eric Carlson 2017-08-14 14:18:45 PDT
Created attachment 318060 [details]
Proposed patch.
Comment 4 youenn fablet 2017-08-14 14:49:57 PDT
Comment on attachment 318060 [details]
Proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=318060&action=review

> Source/WebCore/Modules/mediastream/UserMediaRequest.cpp:105
> +    return equalLettersIgnoringASCIICase(response.url().host(), "localhost");

So only localhost and not 127.0.0.1?
Do you know what other browsers are doing?

> Source/WebCore/Modules/mediastream/UserMediaRequest.cpp:111
> +    if (requiresSecureConnection && !isSecure(*document.loader()) && !isLocalhost(*document.loader())) {

Geolocation is not allowing localhost/127.0.0.1 but it is accepting file URLs.
I wonder whether we should not make these two consistent.
If so, we should come up with a common routine.
Comment 5 Radar WebKit Bug Importer 2017-08-15 11:45:33 PDT
<rdar://problem/33900527>
Comment 6 Eric Carlson 2017-08-15 13:17:12 PDT
Created attachment 318159 [details]
Patch for landing.
Comment 7 youenn fablet 2017-08-15 13:33:17 PDT
Comment on attachment 318159 [details]
Patch for landing.


View in context: https://bugs.webkit.org/attachment.cgi?id=318159&action=review

> Source/WebCore/Modules/mediastream/UserMediaRequest.cpp:98
> +    return SchemeRegistry::shouldTreatURLSchemeAsSecure(response.url().protocol().toStringWithoutCopying())

I did not know about toStringWithoutCopying method.
Maybe shouldTreatURLSchemeAsSecure should take a StringView though?

> Source/WebCore/Modules/mediastream/UserMediaRequest.cpp:107
> +    if (requiresSecureConnection && !isSecure(documentLoader) && !SecurityOrigin::isLocalHostOrLoopbackIPAddress(documentLoader.response().url())) {

Why not placing SecurityOrigin::isLocalHostOrLoopbackIPAddress call in isSecure function?

> Source/WebCore/page/SecurityOrigin.cpp:134
> +    if (SecurityOrigin::isLocalHostOrLoopbackIPAddress(url))

Sounds good although unrelated to the initial purpose of that change.
Looking at https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy, it also considers www.localhost as potentially trustworthy.
Maybe we should split out this part and try realigning our implementation with the spec.

> Source/WebCore/page/SecurityOrigin.cpp:592
> +    // FIXME: Ensure that localhost resolves to the loopback address.

As per the spec, this FIXME might no longer be something we might care about.
Comment 8 Eric Carlson 2017-08-15 13:58:08 PDT
Comment on attachment 318159 [details]
Patch for landing.

View in context: https://bugs.webkit.org/attachment.cgi?id=318159&action=review

>> Source/WebCore/Modules/mediastream/UserMediaRequest.cpp:107
>> +    if (requiresSecureConnection && !isSecure(documentLoader) && !SecurityOrigin::isLocalHostOrLoopbackIPAddress(documentLoader.response().url())) {
> 
> Why not placing SecurityOrigin::isLocalHostOrLoopbackIPAddress call in isSecure function?

I am not an expert in this area, but I assume SecurityOrigin::isPotentionallyTrustworthy allows localhost/loopback and SecurityOrigin::isSecure doesn't by design, so I will leave this as is for now and talk to @dbates about it.

>> Source/WebCore/page/SecurityOrigin.cpp:134
>> +    if (SecurityOrigin::isLocalHostOrLoopbackIPAddress(url))
> 
> Sounds good although unrelated to the initial purpose of that change.
> Looking at https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy, it also considers www.localhost as potentially trustworthy.
> Maybe we should split out this part and try realigning our implementation with the spec.

This will have implications for other parts of WebKit, so lets leave that for another change.

>> Source/WebCore/page/SecurityOrigin.cpp:592
>> +    // FIXME: Ensure that localhost resolves to the loopback address.
> 
> As per the spec, this FIXME might no longer be something we might care about.

I think we do for now because https://w3c.github.io/webappsec-secure-contexts/#localhost says that user agents MAY treat localhost names as having potentially trustworthy origins "if and only if ... localhost never resolves to a non-loopback address". Others are following discussions elsewhere about changing this, so this comment will be removed if/when that changes.
Comment 9 WebKit Commit Bot 2017-08-15 14:15:20 PDT
Comment on attachment 318159 [details]
Patch for landing.

Rejecting attachment 318159 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 318159, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit

Last 500 characters of output:
.webkit.org/git/WebKit
   4ef9ce9..1fb5568  master     -> origin/master
Partial-rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc ...
Currently at 220758 = 4ef9ce9da4ece36525787f3029fc0747c27790c8
r220759 = 1fb556876104fc0d5aaf782e9e62313e62d0acde
Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc
First, rewinding head to replay your work on top of it...
Fast-forwarded master to refs/remotes/origin/master.

Full output: http://webkit-queues.webkit.org/results/4319604
Comment 10 Eric Carlson 2017-08-15 14:51:56 PDT
Comment on attachment 318159 [details]
Patch for landing.

View in context: https://bugs.webkit.org/attachment.cgi?id=318159&action=review

>>> Source/WebCore/Modules/mediastream/UserMediaRequest.cpp:107
>>> +    if (requiresSecureConnection && !isSecure(documentLoader) && !SecurityOrigin::isLocalHostOrLoopbackIPAddress(documentLoader.response().url())) {
>> 
>> Why not placing SecurityOrigin::isLocalHostOrLoopbackIPAddress call in isSecure function?
> 
> I am not an expert in this area, but I assume SecurityOrigin::isPotentionallyTrustworthy allows localhost/loopback and SecurityOrigin::isSecure doesn't by design, so I will leave this as is for now and talk to @dbates about it.

Oops, Dan pointed out that you were suggesting I do this check inside of isSecure in *this* file. I didn't do that because semantically localhost/loopback isn't secure, but it is something we allow as an exception.
Comment 11 Eric Carlson 2017-08-15 14:56:59 PDT
Created attachment 318177 [details]
Rebased patch.
Comment 12 WebKit Commit Bot 2017-08-15 15:38:38 PDT
Comment on attachment 318177 [details]
Rebased patch.

Rejecting attachment 318177 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'land-attachment', '--force-clean', '--non-interactive', '--parent-command=commit-queue', 318177, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit

Last 500 characters of output:
    -> origin/master
Partial-rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc ...
Currently at 220761 = 0f5ef5f5c48ee19395f265454cec76a57a23306f
r220762 = 70a4f6f95592494e9aa0c812d3a03e08630ecc0f
r220763 = abc7aa56fed15ca049b6c3cd6c35949bf1412e48
Done rebuilding .git/svn/refs/remotes/origin/master/.rev_map.268f45cc-cd09-0410-ab3c-d52691b4dbfc
First, rewinding head to replay your work on top of it...
Fast-forwarded master to refs/remotes/origin/master.

Full output: http://webkit-queues.webkit.org/results/4320064
Comment 13 WebKit Commit Bot 2017-08-16 13:20:59 PDT
Comment on attachment 318177 [details]
Rebased patch.

Clearing flags on attachment: 318177

Committed r220805: <http://trac.webkit.org/changeset/220805>