Fix for cross-origin video check for webgl on android

content/renderer/media/android/media_info_loader.cc

Index: content/renderer/media/android/media_info_loader.cc
diff --git a/content/renderer/media/android/media_info_loader.cc b/content/renderer/media/android/media_info_loader.cc
index a89356f2cf788eebf3b0caa0635420bf36ed3374..3c22389e46e259e06265eb931cd9f29ec40cced1 100644
--- a/content/renderer/media/android/media_info_loader.cc
+++ b/content/renderer/media/android/media_info_loader.cc
@@ -29,6 +29,7 @@ MediaInfoLoader::MediaInfoLoader(
     const ReadyCB& ready_cb)
     : loader_failed_(false),
       url_(url),
+      allow_stored_credentials_(false),
       cors_mode_(cors_mode),
       single_origin_(true),
       ready_cb_(ready_cb) {}
@@ -41,6 +42,7 @@ void MediaInfoLoader::Start(blink::WebFrame* frame) {
   CHECK(frame);
 
   start_time_ = base::TimeTicks::Now();
+  first_party_url_ = frame->document().firstPartyForCookies();
 
   // Prepare the request.
   WebURLRequest request(url_);
@@ -57,14 +59,17 @@ void MediaInfoLoader::Start(blink::WebFrame* frame) {
       options.allowCredentials = true;
       options.crossOriginRequestPolicy =
           WebURLLoaderOptions::CrossOriginRequestPolicyAllow;
+      allow_stored_credentials_ = true;
     } else {
       options.exposeAllResponseHeaders = true;
       // The author header set is empty, no preflight should go ahead.
       options.preflightPolicy = WebURLLoaderOptions::PreventPreflight;
       options.crossOriginRequestPolicy =
           WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
-      if (cors_mode_ == blink::WebMediaPlayer::CORSModeUseCredentials)
+      if (cors_mode_ == blink::WebMediaPlayer::CORSModeUseCredentials) {
         options.allowCredentials = true;
+        allow_stored_credentials_ = true;
+      }
     }
     loader.reset(frame->createAssociatedURLLoader(options));
   }
@@ -93,6 +98,8 @@ void MediaInfoLoader::willSendRequest(
     single_origin_ = url_.GetOrigin() == GURL(newRequest.url()).GetOrigin();

[Ken Russell (switch to Gerrit), 2014/07/30 20:44:05]

Are we 100% sure that this (preexisting) code computes the right thing? For
example, if a redirect happens during an anonymous CORS fetch, and both the
original and destination server respond to the Origin: header with the right
Access-Control-Allow-Origin: header, the resulting redirect will be considered
same-origin.

[qinmin, 2014/07/30 23:46:05]

hmm... I am not very familiar with the CORS stuff. Since this class is mostly
cloned from buffered_resource_loader.cc, scherkus@, do you have any idea whether
the implementation there and here is correct? Same for the questions below


On 2014/07/30 20:44:05, Ken Russell wrote:

[scherkus (not reviewing), 2014/07/31 01:15:46]

kbr: I think you're right.

I thought that this was handled higher up in Blink (e.g., in
HTMLVideoElement::willTaintOrigin() [1]), but it doesn't appear that's the case.

I also did some digging around in the bug tracker and found
http://crbug.com/390889 -- I think both this class and BufferedResourceLoader
need fixes.


[1]
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit...

 
   url_ = newRequest.url();
+  first_party_url_ = newRequest.firstPartyForCookies();
+  allow_stored_credentials_ = newRequest.allowStoredCredentials();

[Ken Russell (switch to Gerrit), 2014/07/30 20:44:05]

Are you 100% sure that these pieces of state are being updated correctly while
following redirects?

 }
 
 void MediaInfoLoader::didSendData(
@@ -188,7 +195,8 @@ void MediaInfoLoader::DidBecomeReady(Status status) {
                       base::TimeTicks::Now() - start_time_);
   active_loader_.reset();
   if (!ready_cb_.is_null())
-    base::ResetAndReturn(&ready_cb_).Run(status);
+    base::ResetAndReturn(&ready_cb_).Run(status, url_, first_party_url_,
+                                         allow_stored_credentials_);

[Ken Russell (switch to Gerrit), 2014/07/30 20:44:05]

Are we 100% sure that these are the right pieces of information to give to the
ready callback?

 }
 
 }  // namespace content