summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDale Curtis <dalecurtis@chromium.org>2020-01-23 22:22:42 +0000
committerKirill Burtsev <kirill.burtsev@qt.io>2020-04-23 11:26:23 +0000
commit0b633aff1ddc6f8cf6540e5b9e5ff44993f9f85f (patch)
tree837165a779b94e9fbd3c8f974764d7e520422a52
parenta6cb9e378be3fac64ef4cae5dde8b300212d364c (diff)
downloadqtwebengine-chromium-0b633aff1ddc6f8cf6540e5b9e5ff44993f9f85f.tar.gz
[Backport] Fix for CVE-2020-6439
Always check in with MixedContentChecker in HTMLMediaElement. Some loads are done from an in memory cache and won't trigger the typical mixed content warnings, so explicitly tell MixedContentChecker about our loads to ensure the proper notifications are generated. Fixed: 868145 Change-Id: I4df0ac3db1f2584c2ef44b5e3606acff314bc4ca Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r--chromium/third_party/blink/renderer/core/html/media/html_media_element.cc23
1 files changed, 23 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc b/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc
index bb8e7d76e23..c7eeb945a2e 100644
--- a/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc
+++ b/chromium/third_party/blink/renderer/core/html/media/html_media_element.cc
@@ -90,6 +90,7 @@
#include "third_party/blink/renderer/core/intersection_observer/intersection_observer_entry.h"
#include "third_party/blink/renderer/core/layout/layout_media.h"
#include "third_party/blink/renderer/core/layout/layout_view.h"
+#include "third_party/blink/renderer/core/loader/mixed_content_checker.h"
#include "third_party/blink/renderer/core/page/chrome_client.h"
#include "third_party/blink/renderer/core/page/page.h"
#include "third_party/blink/renderer/core/paint/compositing/paint_layer_compositor.h"
@@ -1799,6 +1800,28 @@ void HTMLMediaElement::SetReadyState(ReadyState state) {
web_media_player_) {
current_src_after_redirects_ =
KURL(web_media_player_->GetSrcAfterRedirects());
+
+ // Sometimes WebMediaPlayer may load a URL from an in memory cache, which
+ // skips notification of insecure content. Ensure we always notify the
+ // MixedContentChecker of what happened, even if the load was skipped.
+ if (LocalFrame* frame = GetDocument().GetFrame()) {
+ // We don't care about the return value here. The MixedContentChecker will
+ // internally notify for insecure content if it needs to regardless of
+ // what the return value ends up being for this call.
+ MixedContentChecker::ShouldBlockFetch(
+ frame,
+ HasVideo() ? mojom::blink::RequestContextType::VIDEO
+ : mojom::blink::RequestContextType::AUDIO,
+ // Strictly speaking, this check is an approximation; a request could
+ // have have redirected back to its original URL, for example.
+ // However, the redirect status is only used to prevent leaking
+ // information cross-origin via CSP reports, so comparing URLs is
+ // sufficient for that purpose.
+ current_src_after_redirects_ == current_src_
+ ? ResourceRequest::RedirectStatus::kNoRedirect
+ : ResourceRequest::RedirectStatus::kFollowedRedirect,
+ current_src_after_redirects_);
+ }
}
if (new_state > ready_state_maximum_)