Fix for cross-origin video check for webgl on android

content/renderer/media/android/media_info_loader.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/media/android/media_info_loader.h"
 
 #include "base/bits.h"
 #include "base/callback_helpers.h"
 #include "base/metrics/histogram.h"
 #include "third_party/WebKit/public/platform/WebURLError.h"
@@ skipping 11 matching lines @@
 namespace content {
 
 static const int kHttpOK = 200;
 
 MediaInfoLoader::MediaInfoLoader(
     const GURL& url,
     blink::WebMediaPlayer::CORSMode cors_mode,
     const ReadyCB& ready_cb)
     : loader_failed_(false),
       url_(url),
+      allow_stored_credentials_(false),
       cors_mode_(cors_mode),
       single_origin_(true),
       ready_cb_(ready_cb) {}
 
 MediaInfoLoader::~MediaInfoLoader() {}
 
 void MediaInfoLoader::Start(blink::WebFrame* frame) {
   // Make sure we have not started.
   DCHECK(!ready_cb_.is_null());
   CHECK(frame);
 
   start_time_ = base::TimeTicks::Now();
+  first_party_url_ = frame->document().firstPartyForCookies();
 
   // Prepare the request.
   WebURLRequest request(url_);
   // TODO(mkwst): Split this into video/audio.
   request.setRequestContext(WebURLRequest::RequestContextVideo);
   frame->setReferrerForRequest(request, blink::WebURL());
 
   scoped_ptr<WebURLLoader> loader;
   if (test_loader_) {
     loader = test_loader_.Pass();
   } else {
     WebURLLoaderOptions options;
     if (cors_mode_ == blink::WebMediaPlayer::CORSModeUnspecified) {
       options.allowCredentials = true;
       options.crossOriginRequestPolicy =
           WebURLLoaderOptions::CrossOriginRequestPolicyAllow;
+      allow_stored_credentials_ = true;
     } else {
       options.exposeAllResponseHeaders = true;
       // The author header set is empty, no preflight should go ahead.
       options.preflightPolicy = WebURLLoaderOptions::PreventPreflight;
       options.crossOriginRequestPolicy =
           WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
-      if (cors_mode_ == blink::WebMediaPlayer::CORSModeUseCredentials)
+      if (cors_mode_ == blink::WebMediaPlayer::CORSModeUseCredentials) {
         options.allowCredentials = true;
+        allow_stored_credentials_ = true;
+      }
     }
     loader.reset(frame->createAssociatedURLLoader(options));
   }
 
   // Start the resource loading.
   loader->loadAsynchronously(request, this);
   active_loader_.reset(new ActiveLoader(loader.Pass()));
 }
 
 /////////////////////////////////////////////////////////////////////////////
 // blink::WebURLLoaderClient implementation.
 void MediaInfoLoader::willSendRequest(
     WebURLLoader* loader,
     WebURLRequest& newRequest,
     const WebURLResponse& redirectResponse) {
   // The load may have been stopped and |ready_cb| is destroyed.
   // In this case we shouldn't do anything.
   if (ready_cb_.is_null()) {
     // Set the url in the request to an invalid value (empty url).
     newRequest.setURL(blink::WebURL());
     return;
   }
 
   // Only allow |single_origin_| if we haven't seen a different origin yet.
   if (single_origin_)
     single_origin_ = url_.GetOrigin() == GURL(newRequest.url()).GetOrigin();

[Ken Russell (switch to Gerrit), 2014/07/30 20:44:05]

Are we 100% sure that this (preexisting) code computes the right thing? For
example, if a redirect happens during an anonymous CORS fetch, and both the
original and destination server respond to the Origin: header with the right
Access-Control-Allow-Origin: header, the resulting redirect will be considered
same-origin.

[qinmin, 2014/07/30 23:46:05]

hmm... I am not very familiar with the CORS stuff. Since this class is mostly
cloned from buffered_resource_loader.cc, scherkus@, do you have any idea whether
the implementation there and here is correct? Same for the questions below


On 2014/07/30 20:44:05, Ken Russell wrote:

[scherkus (not reviewing), 2014/07/31 01:15:46]

kbr: I think you're right.

I thought that this was handled higher up in Blink (e.g., in
HTMLVideoElement::willTaintOrigin() [1]), but it doesn't appear that's the case.

I also did some digging around in the bug tracker and found
http://crbug.com/390889 -- I think both this class and BufferedResourceLoader
need fixes.


[1]
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit...

 
   url_ = newRequest.url();
+  first_party_url_ = newRequest.firstPartyForCookies();
+  allow_stored_credentials_ = newRequest.allowStoredCredentials();

[Ken Russell (switch to Gerrit), 2014/07/30 20:44:05]

Are you 100% sure that these pieces of state are being updated correctly while
following redirects?

 }
 
 void MediaInfoLoader::didSendData(
     WebURLLoader* loader,
     unsigned long long bytes_sent,
     unsigned long long total_bytes_to_be_sent) {
   NOTIMPLEMENTED();
 }
 
 void MediaInfoLoader::didReceiveResponse(
@@ skipping 75 matching lines @@
 }
 
 /////////////////////////////////////////////////////////////////////////////
 // Helper methods.
 
 void MediaInfoLoader::DidBecomeReady(Status status) {
   UMA_HISTOGRAM_TIMES("Media.InfoLoadDelay",
                       base::TimeTicks::Now() - start_time_);
   active_loader_.reset();
   if (!ready_cb_.is_null())
-    base::ResetAndReturn(&ready_cb_).Run(status);
+    base::ResetAndReturn(&ready_cb_).Run(status, url_, first_party_url_,
+                                         allow_stored_credentials_);

[Ken Russell (switch to Gerrit), 2014/07/30 20:44:05]

Are we 100% sure that these are the right pieces of information to give to the
ready callback?

 }
 
 }  // namespace content