http://www.whatwg.org/specs/web-apps/current-work/multipage/video.html#sourcing-out-of-band-text-tracks says: If URL is not the empty string, and its origin is the same as the media element's Document's origin, then fetch URL, from the media element's Document's origin, with the force same-origin flag set.
<rdar://problem/10489317>
Actually, the current version of the spec mentions CORS: If URL is not the empty string, perform a potentially CORS-enabled fetch of URL, with the mode being the state of the media element's crossorigin content attribute, the origin being the origin of the media element's Document, and the default origin behaviour set to fail. The resource obtained in this fashion, if any, contains the text track data. If any data is obtained, it is by definition CORS-same-origin (cross-origin resources that are not suitably CORS-enabled do not get this far).
Created attachment 117011 [details] Proposed patch
Comment on attachment 117011 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=117011&action=review Most cached resources do there cross origin checks in CachedResourceLoader::canRequest() (e.g. XSLTStyleSheet), can we do it for TextTracks there too? > Source/WebCore/html/HTMLTrackElement.cpp:243 > + if (!document()->contentSecurityPolicy()->allowMediaFromSource(url)) { > + DEFINE_STATIC_LOCAL(String, consoleMessage, ("Cross-origin image load denied by Content Security Policy.")); > + document()->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage); > + LOG(Media, "HTMLTrackElement::canLoadUrl(%s) -> rejected by Content Security Policy", urlForLogging(url).utf8().data()); > + return false; CSP denying the load is not the same
(In reply to comment #4) > (From update of attachment 117011 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=117011&action=review > > Most cached resources do there cross origin checks in CachedResourceLoader::canRequest() (e.g. XSLTStyleSheet), can we do it for TextTracks there too? > I modeled this after ImageLoader because it was the only other element I found that used the element's "crossorigin" attribute. It does the check in ImageLoader::updateFromElement before it asks the cached resource loader to load the image. In order to move the check down into CachedResourceLoader::canRequest I will have to change CachedResourceLoader::requestResource so it has the 'crossorgin' attribute value.
Comment on attachment 117011 [details] Proposed patch Attachment 117011 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/10697165 New failing tests: media/track/track-add-track.html http/tests/security/text-track-crossorigin.html
Created attachment 117216 [details] Updated patch Updated the test results and fixed comment logged when CSP denies a load.
http://trac.webkit.org/changeset/101999