Check origin before providing initData in encrypted event

Source/modules/encryptedmedia/HTMLMediaElementEncryptedMedia.cpp

Index: Source/modules/encryptedmedia/HTMLMediaElementEncryptedMedia.cpp
diff --git a/Source/modules/encryptedmedia/HTMLMediaElementEncryptedMedia.cpp b/Source/modules/encryptedmedia/HTMLMediaElementEncryptedMedia.cpp
index 491969d5945e038c1bf6f200b75de05e885efb29..49c4ee54f6480ff04d5995fe6805cce72e1716df 100644
--- a/Source/modules/encryptedmedia/HTMLMediaElementEncryptedMedia.cpp
+++ b/Source/modules/encryptedmedia/HTMLMediaElementEncryptedMedia.cpp
@@ -46,6 +46,22 @@ static void throwExceptionIfMediaKeyExceptionOccurred(const String& keySystem, c
     return;
 }
 
+// Checks to see if the current media src is allowed access to |element|'s
+// origin. Based on !HTMLVideoElement::wouldTaintOrigin().
+static bool canAccessData(HTMLMediaElement& element)

[sandersd (OOO until July 31), 2015/02/03 22:31:59]

I would prefer that there is only one copy of this code. I think the best plan
is to rename this something more serious sounding (basically add Origin to the
method name), then replace HTMLVideoElement::wouldTaintOrigin() calls with calls
to this method.

[jrummell, 2015/02/04 23:28:37]

Done.

+{
+    // If this HTMLMediaElement is mixed content, then not allowed.
+    if (!element.hasSingleSecurityOrigin())
+        return false;
+
+    // If CORS check passed, then we are good.
+    if (element.webMediaPlayer() && element.webMediaPlayer()->didPassCORSAccessCheck())
+        return true;
+
+    // Must be based on whether HTMLMediaElement could request the current src.
+    return element.executionContext()->securityOrigin()->canRequest(element.currentSrc());
+}
+
 // This class allows MediaKeys to be set asynchronously.
 class SetMediaKeysHandler : public ScriptPromiseResolver {
     WTF_MAKE_NONCOPYABLE(SetMediaKeysHandler);
@@ -515,8 +531,15 @@ void HTMLMediaElementEncryptedMedia::encrypted(HTMLMediaElement& element, const
 
     if (RuntimeEnabledFeatures::encryptedMediaEnabled()) {
         // Send event for WD EME.
-        // FIXME: Check origin before providing initData. http://crbug.com/418233.
-        RefPtrWillBeRawPtr<Event> event = createEncryptedEvent(initDataType, initData, initDataLength);
+        RefPtrWillBeRawPtr<Event> event;
+        if (canAccessData(element)) {
+            event = createEncryptedEvent(initDataType, initData, initDataLength);
+        } else {
+            // Current page is not allowed to see content from the media file,
+            // so don't return the initData. However, they still get an event.
+            event = createEncryptedEvent(emptyString(), nullptr, 0);
+        }
+
         event->setTarget(&element);
         element.scheduleEvent(event.release());
     }