The cross-origin checks in the multibuffer code are not sufficient, as they only trigger when a red…

media/blink/resource_multibuffer_data_provider.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "media/blink/resource_multibuffer_data_provider.h"
 
 #include <stddef.h>
 #include <utility>
 
 #include "base/bind.h"
@@ skipping 156 matching lines @@
 
   // This test is vital for security!
   if (cors_mode_ == UrlData::CORS_UNSPECIFIED) {
     // We allow the redirect if the origin is the same.
     if (origin_ != redirects_to_.GetOrigin()) {
       // We also allow the redirect if we don't have any data in the
       // cache, as that means that no dangerous data mixing can occur.
       if (url_data_->multibuffer()->map().empty() && fifo_.empty())
         return;
 
+      active_loader_ = nullptr;
       url_data_->Fail();
+      return;  // "this" may be deleted now.
     }
   }
 }
 
 void ResourceMultiBufferDataProvider::didSendData(
     WebURLLoader* loader,
     unsigned long long bytes_sent,
     unsigned long long total_bytes_to_be_sent) {
   NOTIMPLEMENTED();
 }
@@ skipping 93 matching lines @@
       // to return.
       destination_url_data->set_length(content_length);
     } else if (response.httpStatusCode() == kHttpRangeNotSatisfiable) {
       // Really, we should never request a range that doesn't exist, but
       // if we do, let's handle it in a sane way.
       // Unsatisfiable range
       fifo_.push_back(DataBuffer::CreateEOSBuffer());
       destination_url_data->multibuffer()->OnDataProviderEvent(this);
       return;
     } else {
+      active_loader_ = nullptr;
       destination_url_data->Fail();
-      return;
+      return;  // "this" may be deleted now.
     }
   } else {
     destination_url_data->set_range_supported();
     if (content_length != kPositionNotSpecified) {
       destination_url_data->set_length(content_length + byte_pos());
     }
   }
 
   if (url_index) {
     destination_url_data = url_index->TryInsert(destination_url_data);
@@ skipping 12 matching lines @@
         url_data_->multibuffer()->RemoveProvider(this));
     url_data_ = destination_url_data.get();
     // Give the ownership to our new owner.
     url_data_->multibuffer()->AddProvider(std::move(self));
 
     // Call callback to let upstream users know about the transfer.
     // This will merge the data from the two multibuffers and
     // cause clients to start using the new UrlData.
     old_url_data->RedirectTo(destination_url_data);
   }
+
+  // This test is vital for security!
+  const GURL& original_url = response.wasFetchedViaServiceWorker()
+                                 ? response.originalURLViaServiceWorker()
+                                 : response.url();
+  if (!url_data_->ValidateDataOrigin(original_url.GetOrigin())) {
+    active_loader_ = nullptr;
+    url_data_->Fail();
+    return;  // "this" may be deleted now.
+  }
 }
 
 void ResourceMultiBufferDataProvider::didReceiveData(WebURLLoader* loader,
                                                      const char* data,
                                                      int data_length,
                                                      int encoded_data_length) {
   DVLOG(1) << "didReceiveData: " << data_length << " bytes";
   DCHECK(!Available());
   DCHECK(active_loader_);
   DCHECK_GT(data_length, 0);
@@ skipping 55 matching lines @@
       size < url_data_->length()) {
     if (retries_ < kMaxRetries) {
       DVLOG(1) << " Partial data received.... @ pos = " << size;
       retries_++;
       base::MessageLoop::current()->PostDelayedTask(
           FROM_HERE, base::Bind(&ResourceMultiBufferDataProvider::Start,
                                 weak_factory_.GetWeakPtr()),
           base::TimeDelta::FromMilliseconds(kLoaderPartialRetryDelayMs));
       return;
     } else {
-      scoped_ptr<ActiveLoader> active_loader = std::move(active_loader_);
+      active_loader_ = nullptr;
       url_data_->Fail();
-      return;
+      return;  // "this" may be deleted now.
     }
   }
 
   url_data_->set_length(size);
   fifo_.push_back(DataBuffer::CreateEOSBuffer());
 
   DCHECK(Available());
   url_data_->multibuffer()->OnDataProviderEvent(this);
 
   // Beware, this object might be deleted here.
@@ skipping 94 matching lines @@
   }
 
   if (byte_pos() != first_byte_position) {
     return false;
   }
 
   return true;
 }
 
 }  // namespace media