222130 – hasBrokenEncryptedMediaAPISupportQuirk and needsPreloadAutoQuirk have overly permissive domain allow lists

RESOLVED FIXED 222130

hasBrokenEncryptedMediaAPISupportQuirk and needsPreloadAutoQuirk have overly permissive domain allow lists

https://bugs.webkit.org/show_bug.cgi?id=222130

Summary hasBrokenEncryptedMediaAPISupportQuirk and needsPreloadAutoQuirk have overly ...

Rich Dougherty

Reported 2021-02-18 13:37:58 PST

The hasBrokenEncryptedMediaAPISupportQuirk enables quirks behaviour for several whitelisted domains. The rule to allow subdomains of hulu.com appears to be missing a "." so it would also allow sites like "notreallyhulu.com" as well as genuine subdomains. In other words, the check 'domain.endsWith("hulu.com")' should probably be 'domain.endsWith(".hulu.com")'. This would bring it in line with rules for the other domains. See: https://github.com/WebKit/WebKit/blob/4e8064a058644469e9312abdb736c4164c848e71/Source/WebCore/page/Quirks.cpp#L187

Attachments
Patch (1.92 KB, patch) 2022-01-10 09:58 PST, Eric Carlson	no flags	Details Formatted Diff Diff
Patch (2.48 KB, patch) 2022-01-10 10:52 PST, Eric Carlson	no flags	Details Formatted Diff Diff
Followup to fix typo (1.41 KB, patch) 2022-01-10 15:09 PST, Eric Carlson	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Rich Dougherty

Comment 1 2021-02-18 13:43:27 PST

needsPreloadAutoQuirk appears to have the same issue with the vimeo.com domain https://github.com/WebKit/WebKit/blob/4e8064a058644469e9312abdb736c4164c848e71/Source/WebCore/page/Quirks.cpp#L767 Credit: - https://news.ycombinator.com/item?id=26166497 - https://twitter.com/mikesherov/status/1208025766832803841

Radar WebKit Bug Importer

Comment 2 2021-02-25 13:38:12 PST

<rdar://problem/74758560>

Eric Carlson

Comment 3 2022-01-10 09:58:45 PST

Created attachment 448763 [details] Patch

Eric Carlson

Comment 4 2022-01-10 10:01:34 PST

*** Bug 235015 has been marked as a duplicate of this bug. ***

Eric Carlson

Comment 5 2022-01-10 10:52:46 PST

Created attachment 448775 [details] Patch

EWS

Comment 6 2022-01-10 13:55:19 PST

Committed r287855 (245901@main): <https://commits.webkit.org/245901@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 448775 [details].

Darin Adler

Comment 7 2022-01-10 14:08:03 PST

Comment on attachment 448775 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=448775&action=review > Source/WebCore/page/Quirks.cpp:820 > + m_needsPreloadAutoQuirk = domain == "vimeo"_s; This should be "vimeo.com", right?

Eric Carlson

Comment 8 2022-01-10 15:03:11 PST

Comment on attachment 448775 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=448775&action=review >> Source/WebCore/page/Quirks.cpp:820 >> + m_needsPreloadAutoQuirk = domain == "vimeo"_s; > > This should be "vimeo.com", right? It certainly should!

Eric Carlson

Comment 9 2022-01-10 15:09:32 PST

Reopening to attach new patch.

Eric Carlson

Comment 10 2022-01-10 15:09:33 PST

Created attachment 448803 [details] Followup to fix typo

EWS

Comment 11 2022-01-10 15:43:44 PST

Committed r287862 (245906@main): <https://commits.webkit.org/245906@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 448803 [details].

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Media

Assignee

Eric Carlson

Reported

2021-02-18 13:37 PST

Modified

2022-01-10 15:43 PST History

CC List

5 users Show

URL

Keywords InRadar

Duplicates (1)

235015 View as bug list

Depends on

Blocks