Relax cross-origin partial response requirements for CORS presence.

Per discussion on the bug, if the redirect passes a CORS we should allow the mixing of origins. DidPassCORSAccessCheck() will ensure each request passes the crossorigin test. Prior to this fix, crossOrigin redirects for video were always broken, this fix also allows 'range' to be a simple header when a client has requested no preflight. BUG=532569 TEST=new unittest, manually verified exploit fails if crossorigin set. Review URL: https://codereview.chromium.org/1356353003 Cr-Commit-Position: refs/heads/master@{#355452}
author: dalecurtis <dalecurtis@chromium.org> 2015-10-21 17:26:26 -0700
committer: Commit bot <commit-bot@chromium.org> 2015-10-22 00:27:07 +0000
commit: e11ea5ed677321f5fa24e8e77b01f8f57a0098a5 (patch)
tree: 72589ff802134979742c03949110293954eee288 /media
parent: 34a8990806a42ee9356ce5b2f932057169c03a90 (diff)
download: chromium_src-e11ea5ed677321f5fa24e8e77b01f8f57a0098a5.zip
chromium_src-e11ea5ed677321f5fa24e8e77b01f8f57a0098a5.tar.gz
chromium_src-e11ea5ed677321f5fa24e8e77b01f8f57a0098a5.tar.bz2
2 files changed, 30 insertions, 10 deletions
diff --git a/media/blink/buffered_data_source.cc b/media/blink/buffered_data_source.cc
index eb4c984..0fc1617 100644
--- a/media/blink/buffered_data_source.cc
+++ b/media/blink/buffered_data_source.cc
@@ -431,9 +431,10 @@ bool BufferedDataSource::CheckPartialResponseURL(
   // generated bytes and the target response. See http://crbug.com/489060#c32
   // for details.
   // If the origin of the new response is different from the first response we
-  // deny the redirected response.
-  return response_original_url_.GetOrigin() ==
-         partial_response_original_url.GetOrigin();
+  // deny the redirected response unless the crossorigin attribute has been set.
+  return (response_original_url_.GetOrigin() ==
+          partial_response_original_url.GetOrigin()) ||
+         DidPassCORSAccessCheck();
 }
 
 void BufferedDataSource::ReadCallback(
diff --git a/media/blink/buffered_data_source_unittest.cc b/media/blink/buffered_data_source_unittest.cc
index 878d5f7..aed8453 100644
--- a/media/blink/buffered_data_source_unittest.cc
+++ b/media/blink/buffered_data_source_unittest.cc
@@ -51,11 +51,12 @@ class MockBufferedDataSource : public BufferedDataSource {
  public:
   MockBufferedDataSource(
       const GURL& url,
+      BufferedResourceLoader::CORSMode cors_mode,
       const scoped_refptr<base::SingleThreadTaskRunner>& task_runner,
       WebLocalFrame* frame,
       BufferedDataSourceHost* host)
       : BufferedDataSource(url,
-                           BufferedResourceLoader::kUnspecified,
+                           cors_mode,
                            task_runner,
                            frame,
                            new media::MediaLog(),
@@ -128,13 +129,13 @@ class BufferedDataSourceTest : public testing::Test {
 
   MOCK_METHOD1(OnInitialize, void(bool));
 
-  void Initialize(const char* url, bool expected) {
+  void InitializeWithCORS(const char* url,
+                          bool expected,
+                          BufferedResourceLoader::CORSMode cors_mode) {
     GURL gurl(url);
-    data_source_.reset(
-        new MockBufferedDataSource(gurl,
-                                   message_loop_.task_runner(),
-                                   view_->mainFrame()->toWebLocalFrame(),
-                                   &host_));
+    data_source_.reset(new MockBufferedDataSource(
+        gurl, cors_mode, message_loop_.task_runner(),
+        view_->mainFrame()->toWebLocalFrame(), &host_));
     data_source_->SetPreload(preload_);
 
     response_generator_.reset(new TestResponseGenerator(gurl, kFileSize));
@@ -148,6 +149,10 @@ class BufferedDataSourceTest : public testing::Test {
     EXPECT_EQ(data_source_->downloading(), is_http);
   }
 
+  void Initialize(const char* url, bool expected) {
+    InitializeWithCORS(url, expected, BufferedResourceLoader::kUnspecified);
+  }
+
   // Helper to initialize tests with a valid 200 response.
   void InitializeWith200Response() {
     Initialize(kHttpUrl, true);
@@ -577,6 +582,20 @@ TEST_F(BufferedDataSourceTest,
   ExecuteMixedResponseFailureTest(response1, response2);
 }
 
+TEST_F(BufferedDataSourceTest,
+       Http_MixedResponse_ServiceWorkerProxiedAndDifferentOriginResponseCORS) {
+  InitializeWithCORS(kHttpUrl, true, BufferedResourceLoader::kAnonymous);
+  WebURLResponse response1 =
+      response_generator_->GeneratePartial206(0, kDataSize - 1);
+  response1.setWasFetchedViaServiceWorker(true);
+  response1.setOriginalURLViaServiceWorker(GURL(kHttpDifferentOriginUrl));
+  WebURLResponse response2 =
+      response_generator_->GeneratePartial206(kDataSize, kDataSize * 2 - 1);
+  // The origin URL of response1 and response2 are different, but a CORS check
+  // has been passed for each request, so expect success.
+  ExecuteMixedResponseSuccessTest(response1, response2);
+}
+
 TEST_F(BufferedDataSourceTest, File_Retry) {
   InitializeWithFileResponse();
author	dalecurtis <dalecurtis@chromium.org>	2015-10-21 17:26:26 -0700
committer	Commit bot <commit-bot@chromium.org>	2015-10-22 00:27:07 +0000
commit	e11ea5ed677321f5fa24e8e77b01f8f57a0098a5 (patch)
tree	72589ff802134979742c03949110293954eee288 /media
parent	34a8990806a42ee9356ce5b2f932057169c03a90 (diff)
download	chromium_src-e11ea5ed677321f5fa24e8e77b01f8f57a0098a5.zip chromium_src-e11ea5ed677321f5fa24e8e77b01f8f57a0098a5.tar.gz chromium_src-e11ea5ed677321f5fa24e8e77b01f8f57a0098a5.tar.bz2