Check the response URL origin in BufferedDataSource to avoid mixing cross-origin responses.

media/blink/buffered_data_source.cc

Index: media/blink/buffered_data_source.cc
diff --git a/media/blink/buffered_data_source.cc b/media/blink/buffered_data_source.cc
index d5f32b1ca298d4c787731c70eb26ead26632bea0..614fa39b7dee331dff1e2540a3019375cb592be6 100644
--- a/media/blink/buffered_data_source.cc
+++ b/media/blink/buffered_data_source.cc
@@ -356,6 +356,7 @@ void BufferedDataSource::StartCallback(
     loader_->Stop();
     return;
   }
+  response_original_url_ = loader_->response_original_url();
 
   // All responses must be successful. Resources that are assumed to be fully
   // buffered must have a known content length.
@@ -403,8 +404,8 @@ void BufferedDataSource::PartialReadStartCallback(
     BufferedResourceLoader::Status status) {
   DCHECK(render_task_runner_->BelongsToCurrentThread());
   DCHECK(loader_.get());
-
-  if (status == BufferedResourceLoader::kOk) {
+  if (status == BufferedResourceLoader::kOk &&
+      CheckPartialResponseURL(loader_->response_original_url())) {
     // Once the request has started successfully, we can proceed with
     // reading from it.
     ReadInternal();
@@ -422,6 +423,18 @@ void BufferedDataSource::PartialReadStartCallback(
   ReadOperation::Run(read_op_.Pass(), kReadError);
 }
 
+bool BufferedDataSource::CheckPartialResponseURL(
+    const GURL& partial_response_original_url) const {
+  // We check the redirected URL of partial responses in case malicious
+  // attackers scan the bytes of other origin resources by mixing their
+  // generated bytes and the target response. See http://crbug.com/489060#c32
+  // for details.
+  // If the origin of the new response is different from the first response we
+  // deny the redirected response.
+  return response_original_url_.GetOrigin() ==
+         partial_response_original_url.GetOrigin();
+}
+
 void BufferedDataSource::ReadCallback(
     BufferedResourceLoader::Status status,
     int bytes_read) {