Bug 205744 - Make text track loading set same-origin fallback flag
Summary: Make text track loading set same-origin fallback flag
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Rob Buis
Keywords: InRadar
Depends on: 216672
  Show dependency treegraph
Reported: 2020-01-03 12:16 PST by Rob Buis
Modified: 2022-04-22 03:23 PDT (History)
15 users (show)

See Also:

Patch (18.35 KB, patch)
2020-01-03 12:25 PST, Rob Buis
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Rob Buis 2020-01-03 12:16:43 PST
Make text track loading set same-origin fallback flag:
Comment 1 Rob Buis 2020-01-03 12:25:43 PST
Created attachment 386706 [details]
Comment 2 Rob Buis 2020-01-03 13:54:37 PST
Comment on attachment 386706 [details]

This is the second and final part of the split mentioned in https://bugs.webkit.org/show_bug.cgi?id=205326.
Comment 3 WebKit Commit Bot 2020-01-03 23:57:30 PST
Comment on attachment 386706 [details]

Clearing flags on attachment: 386706

Committed r254031: <https://trac.webkit.org/changeset/254031>
Comment 4 WebKit Commit Bot 2020-01-03 23:57:32 PST
All reviewed patches have been landed.  Closing bug.
Comment 5 Radar WebKit Bug Importer 2020-01-03 23:58:19 PST
Comment 6 Jer Noble 2020-09-17 16:26:34 PDT
Reopening as this patch caused a regression where videos on jw.org fail to show subtitles.
Comment 7 Jer Noble 2020-09-17 16:33:19 PDT
jw.org has captions hosted on Akamai where the .vtt file has CORS headers but the .mp4 file does not. So captions work if `crossorigin=anonymous` is added, but that breaks video rendering.

Other browsers play captions fine without the `crossorigin` attribute, and there does not seem to be WPT tests that verify behavior for this scenario (!same origin, no-cors, headers present). Since this caused behavior regressions in the wild, and other browsers have not implemented this same behavior, we're reverting this on trunk for now.
Comment 8 Rob Buis 2020-12-22 01:32:05 PST
@Anne I implemented [1] but it seems to cause regressions in the wild, see comment 7. Do you know whether mozilla implemented this? Should the spec be changed?

[1] https://html.spec.whatwg.org/multipage/media.html#sourcing-out-of-band-text-tracks:create-a-potential-cors-request
Comment 9 Anne van Kesteren 2021-01-06 03:13:51 PST
I guess other browsers do not use "same-origin" as the fallback and rather use "cors" always? And let credentials mode depend on the media element? It seems this is the only case where we pass the same-origin fallback flag and it might not be well tested.

I do hope they all enforce CORS as there would be a security problem otherwise.

`html/semantics/embedded-content/media-elements/track/track-element/track-data-url.html` does not really seem to test this as data URLs are considered same-origin. That does seem like a useful template to be able to add some cross-origin tests, though testing the credentials part might require some server-side logic as well.

I filed https://github.com/whatwg/html/issues/6267 to track this standards-wise.
Comment 10 youenn fablet 2022-04-22 03:23:34 PDT
I validated Chrome is using same origin as default.
Some time has passed and identified breaking websites have been updated.
Let's try to reland this behavior in https://bugs.webkit.org/show_bug.cgi?id=239381.