diff options
author | Dale Curtis <dalecurtis@chromium.org> | 2020-01-23 22:22:42 +0000 |
---|---|---|
committer | Kirill Burtsev <kirill.burtsev@qt.io> | 2020-04-23 11:26:23 +0000 |
commit | 0b633aff1ddc6f8cf6540e5b9e5ff44993f9f85f (patch) | |
tree | 837165a779b94e9fbd3c8f974764d7e520422a52 | |
parent | a6cb9e378be3fac64ef4cae5dde8b300212d364c (diff) | |
download | qtwebengine-chromium-0b633aff1ddc6f8cf6540e5b9e5ff44993f9f85f.tar.gz |
[Backport] Fix for CVE-2020-6439
Always check in with MixedContentChecker in HTMLMediaElement.
Some loads are done from an in memory cache and won't trigger the
typical mixed content warnings, so explicitly tell MixedContentChecker
about our loads to ensure the proper notifications are generated.
Fixed: 868145
Change-Id: I4df0ac3db1f2584c2ef44b5e3606acff314bc4ca
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/core/html/media/html_media_element.cc | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc b/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc index bb8e7d76e23..c7eeb945a2e 100644 --- a/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc +++ b/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc @@ -90,6 +90,7 @@ #include "third_party/blink/renderer/core/intersection_observer/intersection_observer_entry.h" #include "third_party/blink/renderer/core/layout/layout_media.h" #include "third_party/blink/renderer/core/layout/layout_view.h" +#include "third_party/blink/renderer/core/loader/mixed_content_checker.h" #include "third_party/blink/renderer/core/page/chrome_client.h" #include "third_party/blink/renderer/core/page/page.h" #include "third_party/blink/renderer/core/paint/compositing/paint_layer_compositor.h" @@ -1799,6 +1800,28 @@ void HTMLMediaElement::SetReadyState(ReadyState state) { web_media_player_) { current_src_after_redirects_ = KURL(web_media_player_->GetSrcAfterRedirects()); + + // Sometimes WebMediaPlayer may load a URL from an in memory cache, which + // skips notification of insecure content. Ensure we always notify the + // MixedContentChecker of what happened, even if the load was skipped. + if (LocalFrame* frame = GetDocument().GetFrame()) { + // We don't care about the return value here. The MixedContentChecker will + // internally notify for insecure content if it needs to regardless of + // what the return value ends up being for this call. + MixedContentChecker::ShouldBlockFetch( + frame, + HasVideo() ? mojom::blink::RequestContextType::VIDEO + : mojom::blink::RequestContextType::AUDIO, + // Strictly speaking, this check is an approximation; a request could + // have have redirected back to its original URL, for example. + // However, the redirect status is only used to prevent leaking + // information cross-origin via CSP reports, so comparing URLs is + // sufficient for that purpose. + current_src_after_redirects_ == current_src_ + ? ResourceRequest::RedirectStatus::kNoRedirect + : ResourceRequest::RedirectStatus::kFollowedRedirect, + current_src_after_redirects_); + } } if (new_state > ready_state_maximum_) |