From e11ea5ed677321f5fa24e8e77b01f8f57a0098a5 Mon Sep 17 00:00:00 2001 From: dalecurtis Date: Wed, 21 Oct 2015 17:26:26 -0700 Subject: Relax cross-origin partial response requirements for CORS presence. Per discussion on the bug, if the redirect passes a CORS we should allow the mixing of origins. DidPassCORSAccessCheck() will ensure each request passes the crossorigin test. Prior to this fix, crossOrigin redirects for video were always broken, this fix also allows 'range' to be a simple header when a client has requested no preflight. BUG=532569 TEST=new unittest, manually verified exploit fails if crossorigin set. Review URL: https://codereview.chromium.org/1356353003 Cr-Commit-Position: refs/heads/master@{#355452} --- media/blink/buffered_data_source.cc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'media/blink/buffered_data_source.cc') diff --git a/media/blink/buffered_data_source.cc b/media/blink/buffered_data_source.cc index eb4c984..0fc1617 100644 --- a/media/blink/buffered_data_source.cc +++ b/media/blink/buffered_data_source.cc @@ -431,9 +431,10 @@ bool BufferedDataSource::CheckPartialResponseURL( // generated bytes and the target response. See http://crbug.com/489060#c32 // for details. // If the origin of the new response is different from the first response we - // deny the redirected response. - return response_original_url_.GetOrigin() == - partial_response_original_url.GetOrigin(); + // deny the redirected response unless the crossorigin attribute has been set. + return (response_original_url_.GetOrigin() == + partial_response_original_url.GetOrigin()) || + DidPassCORSAccessCheck(); } void BufferedDataSource::ReadCallback( -- cgit v1.1