Check origin before providing initData in encrypted event

Source/core/html/HTMLMediaElement.cpp

Index: Source/core/html/HTMLMediaElement.cpp
diff --git a/Source/core/html/HTMLMediaElement.cpp b/Source/core/html/HTMLMediaElement.cpp
index 87488bcd8747770f47dbde13f397416c2228c213..435326f20e0449509214c57796520b1e2dd59a3a 100644
--- a/Source/core/html/HTMLMediaElement.cpp
+++ b/Source/core/html/HTMLMediaElement.cpp
@@ -1564,6 +1564,11 @@ bool HTMLMediaElement::isSafeToLoadURL(const KURL& url, InvalidURLAction actionI
     return true;
 }
 
+bool HTMLMediaElement::mediaDataIsCORSSameOrigin(SecurityOrigin* origin) const

[ddorwin, 2015/02/06 21:41:33]

Does the new function really tell us that it is CORS-same-origin? (As discussed
elsewhere) taintsCanvas() is basically canRequest(), which has more to do with
access than same-origin.

hasSingleSecurityOrigin() apparently tells us whether the origin in the src is
the same as the actual request (i.e. after redirect). If correct, it would be
nice to add a comment in WebMediaPlayer.h.

I think didPassCORSAccessCheck() means it was a successful CORS-enabled fetch
(vs. non-CORS-enabled or failed).

Then, taintsCanvas() must check that it is not a URL that requires CORS - that
is, same origin. However, it also does some other things, which I guess are
valid exceptions.

I suppose at a high level, it is equivalent to CORS-same-origin.

[jrummell, 2015/02/07 00:12:26]

Acknowledged. Added comments to indicate this, just so the next person looking
at it has somewhere to start.

+{
+    return hasSingleSecurityOrigin() && ((webMediaPlayer() && webMediaPlayer()->didPassCORSAccessCheck()) || !origin->taintsCanvas(currentSrc()));
+}
+
 void HTMLMediaElement::startProgressEventTimer()
 {
     if (m_progressEventTimer.isActive())