Check origin before providing initData in encrypted event

Source/core/html/HTMLMediaElement.cpp

Index: Source/core/html/HTMLMediaElement.cpp
diff --git a/Source/core/html/HTMLMediaElement.cpp b/Source/core/html/HTMLMediaElement.cpp
index 87488bcd8747770f47dbde13f397416c2228c213..ceb74cb00a5ef8a9e374d5dab607b0ac77dedbf4 100644
--- a/Source/core/html/HTMLMediaElement.cpp
+++ b/Source/core/html/HTMLMediaElement.cpp
@@ -1564,6 +1564,11 @@ bool HTMLMediaElement::isSafeToLoadURL(const KURL& url, InvalidURLAction actionI
     return true;
 }
 
+bool HTMLMediaElement::canAccessSrcFromOrigin(SecurityOrigin* origin) const
+{
+    return hasSingleSecurityOrigin() && ((webMediaPlayer() && webMediaPlayer()->didPassCORSAccessCheck()) || !origin->taintsCanvas(currentSrc()));

[ddorwin, 2015/02/04 23:56:51]

taintsCanvas() has a special exception that is not spec-compliant and perhaps
not appropriate for initData:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit...

We might need to a) call canRequest() instead (???) and b) keep the logic that
was in HVE.

[ddorwin, 2015/02/04 23:56:51]

It's not clear what didPassCORSAccessCheck() means. It appears to just mean that
there was a value (from crossorigin attribute?) Perhaps we only get a loader
object if the CORS check then passed. We should double-check this logic, and
perhaps update related comments.

[sandersd (OOO until July 31), 2015/02/05 00:32:29]

The name is bad, the meaning is that there was a crossorigin attribute and
*also* that it loaded successfully (which should be obvious if we get an
encrypted event, I suppose).

[sandersd (OOO until July 31), 2015/02/05 00:32:29]

My reading of the code is that it is canRequest() is not spec-compliant and that
the workaround is to fix that. Certainly if you have a data URL you can parse
the initData yourself.

+}
+
 void HTMLMediaElement::startProgressEventTimer()
 {
     if (m_progressEventTimer.isActive())