Bug 222130 - hasBrokenEncryptedMediaAPISupportQuirk and needsPreloadAutoQuirk have overly permissive domain allow lists
Summary: hasBrokenEncryptedMediaAPISupportQuirk and needsPreloadAutoQuirk have overly ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Media (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Eric Carlson
URL:
Keywords: InRadar
: 235015 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-02-18 13:37 PST by Rich Dougherty
Modified: 2022-01-10 15:43 PST (History)
5 users (show)

See Also:


Attachments
Patch (1.92 KB, patch)
2022-01-10 09:58 PST, Eric Carlson
no flags Details | Formatted Diff | Diff
Patch (2.48 KB, patch)
2022-01-10 10:52 PST, Eric Carlson
no flags Details | Formatted Diff | Diff
Followup to fix typo (1.41 KB, patch)
2022-01-10 15:09 PST, Eric Carlson
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Rich Dougherty 2021-02-18 13:37:58 PST
The hasBrokenEncryptedMediaAPISupportQuirk enables quirks behaviour for several whitelisted domains. The rule to allow subdomains of hulu.com appears to be missing a "." so it would also allow sites like "notreallyhulu.com" as well as genuine subdomains.

In other words, the check 'domain.endsWith("hulu.com")' should probably be 'domain.endsWith(".hulu.com")'. This would bring it in line with rules for the other domains.

See: https://github.com/WebKit/WebKit/blob/4e8064a058644469e9312abdb736c4164c848e71/Source/WebCore/page/Quirks.cpp#L187
Comment 2 Radar WebKit Bug Importer 2021-02-25 13:38:12 PST
<rdar://problem/74758560>
Comment 3 Eric Carlson 2022-01-10 09:58:45 PST
Created attachment 448763 [details]
Patch
Comment 4 Eric Carlson 2022-01-10 10:01:34 PST
*** Bug 235015 has been marked as a duplicate of this bug. ***
Comment 5 Eric Carlson 2022-01-10 10:52:46 PST
Created attachment 448775 [details]
Patch
Comment 6 EWS 2022-01-10 13:55:19 PST
Committed r287855 (245901@main): <https://commits.webkit.org/245901@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 448775 [details].
Comment 7 Darin Adler 2022-01-10 14:08:03 PST
Comment on attachment 448775 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=448775&action=review

> Source/WebCore/page/Quirks.cpp:820
> +    m_needsPreloadAutoQuirk = domain == "vimeo"_s;

This should be "vimeo.com", right?
Comment 8 Eric Carlson 2022-01-10 15:03:11 PST
Comment on attachment 448775 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=448775&action=review

>> Source/WebCore/page/Quirks.cpp:820
>> +    m_needsPreloadAutoQuirk = domain == "vimeo"_s;
> 
> This should be "vimeo.com", right?

It certainly should!
Comment 9 Eric Carlson 2022-01-10 15:09:32 PST
Reopening to attach new patch.
Comment 10 Eric Carlson 2022-01-10 15:09:33 PST
Created attachment 448803 [details]
Followup to fix typo
Comment 11 EWS 2022-01-10 15:43:44 PST
Committed r287862 (245906@main): <https://commits.webkit.org/245906@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 448803 [details].