Check the response URL origin in BufferedDataSource to avoid mixing cross-origin responses.

media/blink/buffered_data_source.cc

Index: media/blink/buffered_data_source.cc
diff --git a/media/blink/buffered_data_source.cc b/media/blink/buffered_data_source.cc
index d5f32b1ca298d4c787731c70eb26ead26632bea0..412b9c01c51b687da936ebc2c2da8b78d93cbbe4 100644
--- a/media/blink/buffered_data_source.cc
+++ b/media/blink/buffered_data_source.cc
@@ -356,6 +356,7 @@ void BufferedDataSource::StartCallback(
     loader_->Stop();
     return;
   }
+  response_original_url_ = loader_->response_original_url();
 
   // All responses must be successful. Resources that are assumed to be fully
   // buffered must have a known content length.
@@ -403,8 +404,12 @@ void BufferedDataSource::PartialReadStartCallback(
     BufferedResourceLoader::Status status) {
   DCHECK(render_task_runner_->BelongsToCurrentThread());
   DCHECK(loader_.get());
+  if (status == BufferedResourceLoader::kOk &&
+      response_original_url_ == loader_->response_original_url()) {

[falken, 2015/07/03 04:00:25]

Actually a question. Should this really just compare origin instead of URL? And
should you be able to mix your own SW's response with your own server's
response?

[horo, 2015/07/06 11:45:47]

Changed to compare the origin.
And added canRequest() check.

+    // We don't support mixed range responses. Otherwise malicious attackers can

[falken, 2015/07/03 03:43:44]

I'm not sure "mixed range response" is a term of art. Maybe "mixed-origin range
response"

[horo, 2015/07/06 11:45:47]

Changed to "mixing different origin responses".

+    // scan the bytes of other origin resources by mixing their generated bytes
+    // and the target response. See http://crbug.com/489060#c32 for details.
 
-  if (status == BufferedResourceLoader::kOk) {
     // Once the request has started successfully, we can proceed with
     // reading from it.
     ReadInternal();