Test for Cross-origin resouce status leak via MediaError

# HG changeset patch # User Sebastian Streich # Date 1594901018 0 # Thu Jul 16 12:03:38 2020 +0000 # Node ID b8f37ab6318150a94022625b0500efce2c456947 # Parent 7e7affa995d31d0325c26d7a9994971e7682f3a0 Bug 1450853 - Use Generic Error for 3rdparty MediaElement r=ckerschb,smaug *** Add test Differential Revision: https://phabricator.services.mozilla.com/D80080 diff -r 7e7affa995d3 -r b8f37ab63181 dom/html/HTMLMediaElement.cpp --- a/dom/html/HTMLMediaElement.cpp Thu Jul 16 12:23:08 2020 +0000 +++ b/dom/html/HTMLMediaElement.cpp Thu Jul 16 12:03:38 2020 +0000 @@ -2354,7 +2354,24 @@ if (mDecoder) { ShutdownDecoder(); } - mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, aErrorDetails); + + bool isThirdPartyLoad = false; + nsresult rv = NS_ERROR_NOT_AVAILABLE; + if (mSrcAttrTriggeringPrincipal) { + rv = mSrcAttrTriggeringPrincipal->IsThirdPartyURI(mLoadingSrc, + &isThirdPartyLoad); + } + + if (NS_SUCCEEDED(rv) && isThirdPartyLoad) { + // aErrorDetails can include sensitive details like MimeType or HTTP Status + // Code. In case we're loading a 3rd party resource we should not leak this + // and pass a Generic Error Message + mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, + NS_LITERAL_CSTRING("Failed to open media")); + } else { + mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, aErrorDetails); + } + RemoveMediaTracks(); ChangeDelayLoadStatus(false); UpdateAudioChannelPlayingState(); diff -r 7e7affa995d3 -r b8f37ab63181 dom/security/test/general/mochitest.ini --- a/dom/security/test/general/mochitest.ini Thu Jul 16 12:23:08 2020 +0000 +++ b/dom/security/test/general/mochitest.ini Thu Jul 16 12:03:38 2020 +0000 @@ -63,3 +63,4 @@ [test_sec_fetch_websocket.html] skip-if = toolkit == 'android' # no websocket support Bug 982828 support-files = file_sec_fetch_websocket_wsh.py +[test_bug1450853.html] \ No newline at end of file diff -r 7e7affa995d3 -r b8f37ab63181 dom/security/test/general/test_bug1450853.html --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/dom/security/test/general/test_bug1450853.html Thu Jul 16 12:03:38 2020 +0000 @@ -0,0 +1,58 @@ + + + + + +Test for Cross-origin resouce status leak via MediaError + + + + +

+ + + + + + Mozilla Bug 1450853 + + +