Restrict use of hardware-secure codecs based on the RendererPreference.

media/blink/webencryptedmediaclient_impl.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "webencryptedmediaclient_impl.h"
 
 #include "base/bind.h"
 #include "base/metrics/histogram.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
@@ skipping 60 matching lines @@
         KEY_SYSTEM_SUPPORT_STATUS_COUNT + 1,
         base::Histogram::kUmaTargetedHistogramFlag)->Add(status);
   }
 
   const std::string uma_name_;
   bool is_request_reported_;
   bool is_support_reported_;
 };
 
 WebEncryptedMediaClientImpl::WebEncryptedMediaClientImpl(
+#if defined(OS_ANDROID)
+    base::Callback<bool(void)> allow_secure_surfaces_cb,
+#endif  // defined(OS_ANDROID)
     CdmFactory* cdm_factory,
     MediaPermission* media_permission)
     : cdm_factory_(cdm_factory),
       key_system_config_selector_(KeySystems::GetInstance(), media_permission),
       weak_factory_(this) {
   DCHECK(cdm_factory_);
+#if defined(OS_ANDROID)
+  allow_secure_surfaces_cb_ = allow_secure_surfaces_cb;
+#endif  // defined(OS_ANDROID)
 }
 
 WebEncryptedMediaClientImpl::~WebEncryptedMediaClientImpl() {
 }
 
 void WebEncryptedMediaClientImpl::requestMediaKeySystemAccess(
     blink::WebEncryptedMediaRequest request) {
   GetReporter(request.keySystem())->ReportRequested();
   key_system_config_selector_.SelectConfig(
-      request.keySystem(), request.supportedConfigurations(),
-      request.securityOrigin(),
+      request.keySystem(),
+#if defined(OS_ANDROID)
+      allow_secure_surfaces_cb_.Run(),
+#endif  // defined(OS_ANDROID)
+      request.supportedConfigurations(), request.securityOrigin(),
       base::Bind(&WebEncryptedMediaClientImpl::OnRequestSucceeded,
                  weak_factory_.GetWeakPtr(), request),
       base::Bind(&WebEncryptedMediaClientImpl::OnRequestNotSupported,
                  weak_factory_.GetWeakPtr(), request));
 }
 
 void WebEncryptedMediaClientImpl::CreateCdm(
     const blink::WebString& key_system,
     bool allow_distinctive_identifier,
     bool allow_persistent_state,
     const blink::WebSecurityOrigin& security_origin,
     blink::WebContentDecryptionModuleResult result) {
   WebContentDecryptionModuleImpl::Create(
       cdm_factory_, key_system, allow_distinctive_identifier,
       allow_persistent_state, security_origin, result);
 }
 
 void WebEncryptedMediaClientImpl::OnRequestSucceeded(
     blink::WebEncryptedMediaRequest request,
-    const blink::WebMediaKeySystemConfiguration& accumulated_configuration) {
+    const blink::WebMediaKeySystemConfiguration& accumulated_configuration,
+#if defined(OS_ANDROID)
+    const bool require_secure_surfaces,

[ddorwin, 2015/05/06 02:17:12]

no const

[sandersd (OOO until July 31), 2015/05/08 00:37:42]

Done.

+#endif  // defined(OS_ANDROID)
+    ) {
+  if (!request.allow_seure_surfaces)
+    DCHECK(!require_secure_surfaces);
   GetReporter(request.keySystem())->ReportSupported();
+  // TODO(sandersd): Pass |require_secure_surfaces| along and use it to

[ddorwin, 2015/05/06 02:17:12]

Ideally, we would pass along something generic, such as the robustness level. Or
perhaps the max_robustness_level requested. That would help us avoid all these
ifdefs and maybe even remove some in this CL. WDYT?

[sandersd (OOO until July 31), 2015/05/08 00:37:42]

This is in the same category as |allow_persistent_state| and
|allow_distinctive_identifier|, except that we can't infer it from the
accumulated configuration. I'm thinking we should pull all those out into a
KeySystemConfiguration struct (as a Chromium counterpart to
WebMediaKeySystemConfiguration). Does that seem reasonable?

[ddorwin, 2015/05/08 03:18:31]

We can infer those from the accumulated_configuration, though, right?

My point was the type/meaning of the new passed value. I don't think it matters
whether it's in a struct or not. Or were you considering passing multiple items?

[sandersd (OOO until July 31), 2015/05/08 18:04:45]

Yes, I am considering passing all three of those bools in a struct, and getting
rid of the inference (the plan would be to do that in the next CL, as I would be
plumbing this bool through in that CL anyway).

This value isn't directly convertible to a robustness value, since it is a
property of the codecs used, not the configuration. It is true that you can only
currently get it by requesting robustness--do we want to turn the current state
into a guarantee? (The implication is that we could never support codecs that do
not have non-hardware-secure modes.)

+  // configure the CDM security level on Android.
   request.requestSucceeded(WebContentDecryptionModuleAccessImpl::Create(
       request.keySystem(), accumulated_configuration, request.securityOrigin(),
       weak_factory_.GetWeakPtr()));
 }
 
 void WebEncryptedMediaClientImpl::OnRequestNotSupported(
     blink::WebEncryptedMediaRequest request,
     const blink::WebString& error_message) {
   request.requestNotSupported(error_message);
 }
@@ skipping 10 matching lines @@
   std::string uma_name = GetKeySystemNameForUMA(key_system_ascii);
   Reporter* reporter = reporters_.get(uma_name);
   if (!reporter) {
     reporter = new Reporter(uma_name);
     reporters_.add(uma_name, make_scoped_ptr(reporter));
   }
   return reporter;
 }
 
 }  // namespace media