-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require CORS for HLS and DASH media formats #6468
Comments
These MIME types cannot be fetched without CORS. Closes #20 and closes #23. Follow-up: whatwg/html#6468.
These MIME types cannot be fetched without CORS. Closes #20 and closes #23. Follow-up: whatwg/html#6468.
Just some quick notes on Chromium Android's current HLS implementation for
|
@sandandsnow I was led to believe there is a same-origin restriction on Android due to annevk/orb#23 (comment) by @acolwell. Is that not correct? |
It is not correct. We set |
So what does that mean exactly? Say the document is on origin A and the manifest is on origin B. Does that work? What origin can the resources listed in the manifest be from? |
That should work, and the resources must be on origin B. It's worth noting explicitly that this is an incomplete implementation. A feature-complete HLS implementation would presumably support the full set of cross-origin media features and behaviors. |
Okay, @anforowicz's https://crrev.com/c/3202583 has more context. As you said this is a problem for Android/iOS (and for Safari on macOS) as per https://en.wikipedia.org/wiki/HTTP_Live_Streaming#Clients. The same-origin-with-the-HLS-manifest limitation makes this hard to abuse for attackers. They would have to inject an HLS manifest into the origin of which they want to attack resources. Given the extremely lax resource type checking this is made easier, but it's still non-trivial. For https://github.com/annevk/orb this presents a challenge. Thoughts:
Both of these we could make conditional upon HLS support to reduce the attack surface when it's not supported. @anforowicz @sandersdan what do you think? |
A nit: there is also Parsing the manifests seems a bit extreme to me. The manifest resources are going to be one of (A) more manifests, (B) MPEG2 TS, or (C) MP4. I expect all of these would be treated as media resources and therefore allowed with no special handling. I don't know offhand whether there are any issues with inaccurate content types on these resources. Making the logic conditional on UA support seems reasonable, from the above list Chromium Android should be able to block MPEG TS since it's not supported by the current |
I agree with #6468 (comment) that ORB cannot blocklist HLS MIME types. I think we should go even one step further and allowlist these MIME types (similarily to how I am not sure if we need to worry about requests (including range requests) for actual video resources covered by the manifest. AFAIU, these subsequent/non-manifest requests do not go through Chrome's network stack (they are handled by an external software component on Android + they need to be implemented via polyfill / @sandersdan, do you think it would be okay if:
|
That works fine for Chromium Android's current implementation. I can't guarantee that Chromium Android will never include its own HLS player implementation, though. |
FWIW,
(D) WebVTT files: https://datatracker.ietf.org/doc/html/draft-pantos-hls-rfc8216bis#section-3.1.4 |
Stepping back, the main problem is that ORB wants to avoid blocking video resources (which are allowed in For non-HLS video, ORB assumes that the very first request will fetch the start (i.e. first bytes) of a video resource - this allows ORB to recognize the response as video (based on audio or video type pattern sniffing) and remember the URL (allowing future range requests). This approach has been initially proposed in whatwg/fetch#721 (comment) For HLS video, it seems that the very first request might already be for the middle of a video request (and when working on ORB we have so far assumed that such middle-of-a-request responses cannot be sniffed):
|
@anforowicz while it works for Chromium, I'm not entirely sure it works for a standard. I suppose we could state something to the effect that the HLS manifest better be handled by a separate process that can do arbitrary network fetches, but only return a media stream, but it seems somewhat sketchy. And if arbitrary byte sequences end up decoding as media this might be a way to smuggle data into the attacker process. Maybe it's good enough for v1 though. Anyway, I agree that the initial problem is determining whether something is HLS. I think it would make sense to cover it as part of https://mimesniff.spec.whatwg.org/#audio-or-video-type-pattern-matching-algorithm as the media element implementation needs it as well. If you or @sandersdan or @jernoble could work on that, that would be great. |
One other alternative is to ask ORB to avoid reading/parsing/sniffing HLS/DASH responses (the manifest fetch + the subsequent video / captions fetches) altogether + require such responses to use accurate/strict |
Given that media manifests are currently recognized by file extensions(!) and such as I understand it I somewhat doubt that would be web compatible, but I would obviously be in favor of it. |
I share your suspicions about this; I'd be interested in eventually running an experiment to check whether
To add some detail here, there is an
I'm not currently in a position to allocate time to this effort, but some quick observations:
|
Just wanted to post an update based on Chrome's now in-progress HLS experiment. We still expect that manifest files will be best identified by the magic string above (#EXTM3U) as the Content-Type is not required to be accurate by the HLS specification. We are unsure about detecting media files by sniffing, since HLS allows for sub-ranges to be requested. We're okay with using Content-Type alone to allow media files and will re-evaluate that based on in-the-field metrics. Even a relatively small fraction of blocked requests could be a problem for us on Android, but on Desktop HLS is currently unsupported so there is potentially more flexibility there. @willcassella is handling the implementation in Chrome. |
Can an HLS resource point to resources on another origin from the origin of the HLS resource itself? At least theoretically the ORB filter could, upon seeing an HLS resource, safelist the URLs mentioned inside it. (It would have to be able to parse HLS for that though.) But if those URLs can point to other origins, the HLS resource could be used for attacks. Safelisting MIME types might be another approach, but if the HLS resource doesn't have one, why would the ranged media resources have one? |
It's totally possible (and I think likely, with interstitial ads) that an HLS playlist could refer to content on other origins. Building an HLS url-extractor on top of the low-level bits I've already written wouldn't bee too difficult, but it still wouldn't be totally straightforward since it'll need to be able to perform variable substitution and parse attribute-lists on tags in order to accurately extract URLs.
Upon intercepting a range-request that doesn't include the sniffable portion of the resource, the network process could hypothetically generate an additional range request for the same resource that does include those bits and block the actual request on that. |
It seems that if HLS allows for arbitrary origins and arbitrary ranges of resources on those origins you need to validate those resources in some manner as otherwise it's a pretty big hole in the whole setup, no? What would stop an attacker from using HLS to pull in (bits of) arbitrary resources across the web? |
(Just responding to Chris Needhams not to HLS group) |
(saying that any resource coming via a redirect from a 3rd party would be known ahead of time and CORS headers would be set up - so maybe it’s a moot point about redirect complications) |
@annevk did this ever reach a conclusion? Is this the plan for Safari HLS? |
@sandersdan Dan, I've been testing how this works in Chrome and I found something that seems unexpected. In https://mozilla.seanfeng.dev/files/hls/, the last case works as the document is on |
We (Chrome) are in the processing of launching our HLS implementation, but it needs to be Safari compatible. It doesn't seem Safari has chosen to restrict cross origin responses (hence my Q above to @annevk), so we're still discussing what we want to do on our side. |
We've had a bit of a discussion exploring manifest-based media formats in annevk/orb#23. In particular, both HLS and DASH are resources that effectively list a bunch of other resources to fetch that when composed result in media. I think the effective conclusions of that thread are as follows:
application/dash+xml
to the (C)ORB blocklist and if media elements require a MIME type for DASH it should then not be possible to get such an "opaque" response.cc @whatwg/media @acolwell
The text was updated successfully, but these errors were encountered: