[Backport] CVE-2018-6177 CVE-2018-6168

defeat cors attacks on audio/video tags

Neutralize error messages and fire no progress events
until media metadata has been loaded for media loaded
from cross-origin locations.

Bug: 828265, 826187

Reviewed-on: https://chromium-review.googlesource.com/1015794
Change-Id: Ie8064f04c606f11bfa88a72b1d5ef82a84bdd409
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

1 files changed, 8 insertions, 2 deletions

diff --git a/chromium/third_party/WebKit/Source/core/html/media/HTMLMediaElement.h b/chromium/third_party/WebKit/Source/core/html/media/HTMLMediaElement.h
index 3ce50fb760b..c39178808b6 100644
--- a/chromium/third_party/WebKit/Source/core/html/media/HTMLMediaElement.h
+++ b/chromium/third_party/WebKit/Source/core/html/media/HTMLMediaElement.h
@@ -258,8 +258,8 @@ class CORE_EXPORT HTMLMediaElement
   using HTMLElement::GetExecutionContext;
 
   bool HasSingleSecurityOrigin() const {
-    return GetWebMediaPlayer() &&
-           GetWebMediaPlayer()->HasSingleSecurityOrigin();
+    return GetWebMediaPlayer() ? GetWebMediaPlayer()->HasSingleSecurityOrigin()
+                               : true;
   }
 
   bool IsFullscreen() const;
@@ -342,6 +342,12 @@ class CORE_EXPORT HTMLMediaElement
   InsertionNotificationRequest InsertedInto(ContainerNode*) override;
   void RemovedFrom(ContainerNode*) override;
 
+  // Return true if media is cross origin from the current document
+  // and has not passed a cors check, meaning that we should return
+  // as little information as possible about it.
+
+  bool MediaShouldBeOpaque() const;
+
   void DidMoveToNewDocument(Document& old_document) override;
   virtual KURL PosterImageURL() const { return KURL(); }