New issue
Advanced search Search tips

Issue 777848 link

Starred by 2 users
Status: Fixed
Owner:
beccahughes@chromium.org
Closed: Oct 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Media Controls broken by CSP

Reported by acmesqua...@gmail.com, Oct 24 2017 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.9 Safari/537.36

Steps to reproduce the problem:
Create a policy disallowing dataURLs, and a media element with visible controls.

What is the expected behavior?
The controls are visible

What went wrong?
The controls (dataURLs) are blocked.

Did this work before? Yes 62.0.3202.62

Does this work in other browsers? Yes

Chrome version: 63.0.3239.9  Channel: dev
OS Version: 
Flash Version:

Comment 1 by acmesqua...@gmail.com, Oct 24 2017

media_controls_csp.html
211 bytes View Download

Comment 2 by mlamouri@chromium.org, Oct 24 2017

Components: -Blink>Media Blink>Media>Controls
Owner: beccahughes@chromium.org
beccahughes@, can you PTAL? I assume this might be related to your recent changes?

Comment 3 by beccahughes@chromium.org, Oct 24 2017

Components: Blink>SecurityFeature
Status: Assigned (was: Unconfirmed)

Comment 4 by manoranj...@chromium.org, Oct 24 2017

Labels: Needs-Triage-M63

Comment 5 by beccahughes@chromium.org, Oct 27 2017

Status: Started (was: Assigned)
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 30 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1cd7ee607e9863b5a725b8bcdeecd493e52471d9

commit 1cd7ee607e9863b5a725b8bcdeecd493e52471d9
Author: Becca Hughes <beccahughes@chromium.org>
Date: Mon Oct 30 11:53:19 2017

Media Controls: Fix broken by CSP.

The native media controls use CSS internal to Chrome (User Agent CSS)
and the buttons are data urls embedded into the stylesheet. This adds a
new "uacss" initiator that can only request images with data urls. This
check is performed before the CSP check so it will also fix sites that
are broken because they block data urls.

BUG= 777848 

Change-Id: I737e8419fa3f6033c7f91383cb87d7e7d083c066
Reviewed-on: https://chromium-review.googlesource.com/741586
Reviewed-by: Nate Chapin <japhet@chromium.org>
Commit-Queue: Becca Hughes <beccahughes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#512476}
[modify] https://crrev.com/1cd7ee607e9863b5a725b8bcdeecd493e52471d9/third_party/WebKit/Source/core/css/CSSImageSetValue.cpp
[modify] https://crrev.com/1cd7ee607e9863b5a725b8bcdeecd493e52471d9/third_party/WebKit/Source/core/loader/BaseFetchContext.cpp
[modify] https://crrev.com/1cd7ee607e9863b5a725b8bcdeecd493e52471d9/third_party/WebKit/Source/core/loader/BaseFetchContextTest.cpp
[modify] https://crrev.com/1cd7ee607e9863b5a725b8bcdeecd493e52471d9/third_party/WebKit/Source/platform/loader/fetch/Resource.cpp
[modify] https://crrev.com/1cd7ee607e9863b5a725b8bcdeecd493e52471d9/third_party/WebKit/Source/platform/loader/fetch/fetch_initiator_type_names.json5

Comment 7 by beccahughes@chromium.org, Oct 30 2017

Status: Fixed (was: Started)

Sign in to add a comment