Check the response URL origin in BufferedDataSource to avoid mixing cross-origin responses.

media/blink/buffered_data_source.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "media/blink/buffered_data_source.h"
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/location.h"
 #include "base/single_thread_task_runner.h"
@@ skipping 338 matching lines @@
 
   bool init_cb_is_null = false;
   {
     base::AutoLock auto_lock(lock_);
     init_cb_is_null = init_cb_.is_null();
   }
   if (init_cb_is_null) {
     loader_->Stop();
     return;
   }
+  response_original_url_ = loader_->response_original_url();
 
   // All responses must be successful. Resources that are assumed to be fully
   // buffered must have a known content length.
   bool success = status == BufferedResourceLoader::kOk &&
                  (!assume_fully_buffered() ||
                   loader_->instance_size() != kPositionNotSpecified);
 
   if (success) {
     total_bytes_ = loader_->instance_size();
     streaming_ =
@@ skipping 27 matching lines @@
                                    loader_->range_supported());
   }
 
   base::ResetAndReturn(&init_cb_).Run(success);
 }
 
 void BufferedDataSource::PartialReadStartCallback(
     BufferedResourceLoader::Status status) {
   DCHECK(render_task_runner_->BelongsToCurrentThread());
   DCHECK(loader_.get());
+  if (status == BufferedResourceLoader::kOk &&
+      response_original_url_ == loader_->response_original_url()) {

[falken, 2015/07/03 04:00:25]

Actually a question. Should this really just compare origin instead of URL? And
should you be able to mix your own SW's response with your own server's
response?

[horo, 2015/07/06 11:45:47]

Changed to compare the origin.
And added canRequest() check.

+    // We don't support mixed range responses. Otherwise malicious attackers can

[falken, 2015/07/03 03:43:44]

I'm not sure "mixed range response" is a term of art. Maybe "mixed-origin range
response"

[horo, 2015/07/06 11:45:47]

Changed to "mixing different origin responses".

+    // scan the bytes of other origin resources by mixing their generated bytes
+    // and the target response. See http://crbug.com/489060#c32 for details.
 
-  if (status == BufferedResourceLoader::kOk) {
     // Once the request has started successfully, we can proceed with
     // reading from it.
     ReadInternal();
     return;
   }
 
   // Stop the resource loader since we have received an error.
   loader_->Stop();
 
   // TODO(scherkus): we shouldn't have to lock to signal host(), see
   // http://crbug.com/113712 for details.
   base::AutoLock auto_lock(lock_);
   if (stop_signal_received_)
     return;
   ReadOperation::Run(read_op_.Pass(), kReadError);

[falken, 2015/07/03 04:00:25]

When we fail due to the security check, should we have a different error code so
devs can know what failed?

(It seems unlikely people would try to do this mixing legitimately though.)

[horo, 2015/07/06 11:45:48]

It may be better to have.
But BufferedDataSource BufferedResourceLoader are not providing such detailed
error messages now.

 }
 
 void BufferedDataSource::ReadCallback(
     BufferedResourceLoader::Status status,
     int bytes_read) {
   DCHECK(render_task_runner_->BelongsToCurrentThread());
 
   // TODO(scherkus): we shouldn't have to lock to signal host(), see
   // http://crbug.com/113712 for details.
   base::AutoLock auto_lock(lock_);
@@ skipping 118 matching lines @@
   }
 
   // If media is currently playing or the page indicated preload=auto or the
   // the server does not support the byte range request or we do not want to go
   // too far ahead of the read head, use threshold strategy to enable/disable
   // deferring when the buffer is full/depleted.
   loader_->UpdateDeferStrategy(BufferedResourceLoader::kCapacityDefer);
 }
 
 }  // namespace media