Fix for cross-origin video check for webgl on android

content/renderer/media/android/webmediaplayer_android.cc

Index: content/renderer/media/android/webmediaplayer_android.cc
diff --git a/content/renderer/media/android/webmediaplayer_android.cc b/content/renderer/media/android/webmediaplayer_android.cc
index 2a050c56e35e7c163aa90e5be92851824a0c92cd..c466a103db04e008ae31ba85d02f6418a42e49d7 100644
--- a/content/renderer/media/android/webmediaplayer_android.cc
+++ b/content/renderer/media/android/webmediaplayer_android.cc
@@ -6,6 +6,7 @@
 
 #include <limits>
 
+#include "base/android/build_info.h"
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/command_line.h"
@@ -55,6 +56,7 @@
 #include "ui/gfx/image/image.h"
 
 static const uint32 kGLTextureExternalOES = 0x8D65;
+static const int kSDKVersionToSupportSecurityOriginCheck = 20;
 
 using blink::WebMediaPlayer;
 using blink::WebSize;
@@ -138,6 +140,7 @@ WebMediaPlayerAndroid::WebMediaPlayerAndroid(
       is_remote_(false),
       media_log_(media_log),
       web_cdm_(NULL),
+      allow_stored_credentials_(false),
       weak_factory_(this) {
   DCHECK(player_manager_);
   DCHECK(cdm_manager_);
@@ -231,7 +234,8 @@ void WebMediaPlayerAndroid::load(LoadType load_type,
                      weak_factory_.GetWeakPtr()),
           base::Bind(&WebMediaPlayerAndroid::OnDurationChanged,
                      weak_factory_.GetWeakPtr()));
-      InitializePlayer(demuxer_client_id);
+      InitializePlayer(url_, frame_->document().firstPartyForCookies(),
+                       true, demuxer_client_id);
     }
   } else {
     info_loader_.reset(
@@ -240,11 +244,6 @@ void WebMediaPlayerAndroid::load(LoadType load_type,
             cors_mode,
             base::Bind(&WebMediaPlayerAndroid::DidLoadMediaInfo,
                        weak_factory_.GetWeakPtr())));
-    // TODO(qinmin): The url might be redirected when android media player
-    // requests the stream. As a result, we cannot guarantee there is only
-    // a single origin. Remove the following line when b/12573548 is fixed.
-    // Check http://crbug.com/334204.
-    info_loader_->set_single_origin(false);
     info_loader_->Start(frame_);
   }
 
@@ -252,7 +251,11 @@ void WebMediaPlayerAndroid::load(LoadType load_type,
   UpdateReadyState(WebMediaPlayer::ReadyStateHaveNothing);
 }
 
-void WebMediaPlayerAndroid::DidLoadMediaInfo(MediaInfoLoader::Status status) {
+void WebMediaPlayerAndroid::DidLoadMediaInfo(
+    MediaInfoLoader::Status status,
+    const GURL& redirected_url,
+    const GURL& first_party_for_cookies,
+    bool allow_stored_credentials) {
   DCHECK(!media_source_delegate_);
   if (status == MediaInfoLoader::kFailed) {
     info_loader_.reset();
@@ -260,7 +263,8 @@ void WebMediaPlayerAndroid::DidLoadMediaInfo(MediaInfoLoader::Status status) {
     return;
   }
 
-  InitializePlayer(0);
+  InitializePlayer(
+      redirected_url, first_party_for_cookies, allow_stored_credentials, 0);
 
   UpdateNetworkState(WebMediaPlayer::NetworkStateIdle);
 }
@@ -602,12 +606,23 @@ bool WebMediaPlayerAndroid::copyVideoTextureToPlatformTexture(
 }
 
 bool WebMediaPlayerAndroid::hasSingleSecurityOrigin() const {
-  if (info_loader_)
-    return info_loader_->HasSingleOrigin();
-  // The info loader may have failed.
-  if (player_type_ == MEDIA_PLAYER_TYPE_URL)
+  if (player_type_ != MEDIA_PLAYER_TYPE_URL)
+    return true;
+
+  if (!info_loader_ || !info_loader_->HasSingleOrigin())
     return false;
-  return true;
+
+  // TODO(qinmin): The url might be redirected when android media player
+  // requests the stream. As a result, we cannot guarantee there is only
+  // a single origin. Only if the HTTP request was made without credentials,
+  // we will honor the return value from  HasSingleSecurityOriginInternal()
+  // in pre-L android versions.
+  // Check http://crbug.com/334204.
+  if (!allow_stored_credentials_)
+    return true;
+
+  return base::android::BuildInfo::GetInstance()->sdk_int() >=
+      kSDKVersionToSupportSecurityOriginCheck;

[dshwang, 2014/08/11 08:01:33]

This method allows SSO for systems >=L although the description said we are
reenabling video for webgl for systems <=K.
I guess we should replace >= to <, right?

Video on WebGL still is in trouble on systems <= K. e.g.
http://browsertests.herokuapp.com/media/mdn_samples_webgl_sample8/index.html

[dshwang, 2014/08/15 09:25:55]

This CL makes WebGL more restricted on systems <K, not less restricted, because
this line; return system >= L as hasSingleSecurityOrigin
So there is not any difference for system <= K compared to before-this-CL

 }
 
 bool WebMediaPlayerAndroid::didPassCORSAccessCheck() const {
@@ -937,11 +952,14 @@ void WebMediaPlayerAndroid::OnDestruct() {
 }
 
 void WebMediaPlayerAndroid::InitializePlayer(
+    const GURL& url,
+    const GURL& first_party_for_cookies,
+    bool allow_stored_credentials,
     int demuxer_client_id) {
-  GURL first_party_url = frame_->document().firstPartyForCookies();
+  allow_stored_credentials_ = allow_stored_credentials;
   player_manager_->Initialize(
-      player_type_, player_id_, url_, first_party_url, demuxer_client_id,
-      frame_->document().url());
+      player_type_, player_id_, url, first_party_for_cookies, demuxer_client_id,
+      frame_->document().url(), allow_stored_credentials);
   if (player_manager_->ShouldEnterFullscreen(frame_))
     player_manager_->EnterFullscreen(player_id_, frame_);
 }