web audio api outputs silence for 302 redirected resource in safari

https://bugs.webkit.org/show_bug.cgi?id=214932
<rdar://problem/66300050>

Reviewed by Darin Adler.

Source/WebCore:

If the resource is redirected to another origin, treat it as tainted only if the crossorigin attribute
is not set. This is done for consistency with Blink:
- https://github.com/chromium/chromium/blob/master/media/blink/webmediaplayer_impl.cc (see WouldTaintOrigin())

The new behavior also seems to match Firefox.

Tests: http/tests/security/webaudio-render-remote-audio-allowed-crossorigin-redirect.html
       http/tests/security/webaudio-render-remote-audio-blocked-no-crossorigin-redirect.html

* Modules/webaudio/MediaElementAudioSourceNode.cpp:
(WebCore::MediaElementAudioSourceNode::wouldTaintOrigin):

LayoutTests:

Add layout test coverage. Update existing test to reflect the fact that the frequency returned by
the AnalyserNode is -Infinity when input is silent, not minDecibels (this has changed fairly
recently).

* http/tests/security/webaudio-render-remote-audio-allowed-crossorigin-redirect-expected.txt: Added.
* http/tests/security/webaudio-render-remote-audio-allowed-crossorigin-redirect.html: Copied from LayoutTests/http/tests/security/webaudio-render-remote-audio-allowed-crossorigin.html.
* http/tests/security/webaudio-render-remote-audio-allowed-crossorigin.html:
* http/tests/security/webaudio-render-remote-audio-blocked-no-crossorigin-redirect-expected.txt: Added.
* http/tests/security/webaudio-render-remote-audio-blocked-no-crossorigin-redirect.html: Copied from LayoutTests/http/tests/security/webaudio-render-remote-audio-allowed-crossorigin.html.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@267532 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Author: [email protected]

LayoutTests/ChangeLog

@@ -1,3 +1,21 @@
+2020-09-24  Chris Dumez  <[email protected]>
+
+        web audio api outputs silence for 302 redirected resource in safari
+        https://bugs.webkit.org/show_bug.cgi?id=214932
+        <rdar://problem/66300050>
+
+        Reviewed by Darin Adler.
+
+        Add layout test coverage. Update existing test to reflect the fact that the frequency returned by
+        the AnalyserNode is -Infinity when input is silent, not minDecibels (this has changed fairly
+        recently).
+
+        * http/tests/security/webaudio-render-remote-audio-allowed-crossorigin-redirect-expected.txt: Added.
+        * http/tests/security/webaudio-render-remote-audio-allowed-crossorigin-redirect.html: Copied from LayoutTests/http/tests/security/webaudio-render-remote-audio-allowed-crossorigin.html.
+        * http/tests/security/webaudio-render-remote-audio-allowed-crossorigin.html:
+        * http/tests/security/webaudio-render-remote-audio-blocked-no-crossorigin-redirect-expected.txt: Added.
+        * http/tests/security/webaudio-render-remote-audio-blocked-no-crossorigin-redirect.html: Copied from LayoutTests/http/tests/security/webaudio-render-remote-audio-allowed-crossorigin.html.
+
 2020-09-24  Frederic Wang  <[email protected]>
 
         Resync WPT's mathml and math-script-level-and-math-style tests

LayoutTests/http/tests/security/webaudio-render-remote-audio-allowed-crossorigin-redirect-expected.txt

@@ -0,0 +1,10 @@
+Ensure that audio is rendered when tainted by a remote audio resource when CORS is enabled.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS outputArray is not silentArray
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/http/tests/security/webaudio-render-remote-audio-allowed-crossorigin-redirect.html

@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="../../../resources/js-test-pre.js"></script>
+    <script src="../../media-resources/media-file.js"></script>
+</head>
+<body>
+<pre id="console"></pre>
+<script>
+    description("Ensure that audio is rendered when tainted by a remote audio resource when CORS is enabled.");
+    window.jsTestIsAsync = true;
+
+    function go() {
+        let audio = new Audio();
+        audio.crossOrigin = "anonymous";
+        let mediaFile = findMediaFile("audio", "../../media/resources/1000Hz-sin");
+        let type = mimeTypeForExtension(mediaFile.split('.').pop());
+        audio.src = "http://localhost:8080/security/resources/redirect-allow-star.php?url=" + encodeURIComponent("http://127.0.0.1:8080/security/resources/video-cross-origin-allow.php?name=" + mediaFile + "&type=" + type);
+
+        context = new AudioContext();
+        let mediaSource = context.createMediaElementSource(audio);
+        let analyser = context.createAnalyser();
+        analyser.fftSize = 32;
+
+        mediaSource.connect(analyser);
+
+        context.resume().then(() => {
+            audio.play();
+        });
+
+        window.outputArray = new Float32Array(analyser.frequencyBinCount);
+        window.silentArray = new Float32Array(analyser.frequencyBinCount);
+        silentArray.fill(-Infinity);
+
+        var intervalToken = setInterval(() => {
+            analyser.getFloatFrequencyData(outputArray);
+        }, 30);
+
+        audio.addEventListener("ended", event => {
+            clearInterval(intervalToken);
+            context.suspend().then(() => {
+                shouldNotBe("outputArray", "silentArray");
+                finishJSTest();
+            });
+        });
+    }
+    window.addEventListener('load', go);
+</script>
+<script src="../../../resources/js-test-post.js"></script>
+</body>
+</html>

LayoutTests/http/tests/security/webaudio-render-remote-audio-allowed-crossorigin.html

@@ -30,7 +30,7 @@
 
         window.outputArray = new Float32Array(analyser.frequencyBinCount);
         window.silentArray = new Float32Array(analyser.frequencyBinCount);
-        silentArray.fill(analyser.minDecibels);
+        silentArray.fill(-Infinity);
 
         var intervalToken = setInterval(() => {
             analyser.getFloatFrequencyData(outputArray);

LayoutTests/http/tests/security/webaudio-render-remote-audio-blocked-no-crossorigin-redirect-expected.txt

@@ -0,0 +1,10 @@
+Ensure that audio is not rendered when tainted by a remote audio resource when CORS is not enabled.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS outputArray is silentArray
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/http/tests/security/webaudio-render-remote-audio-blocked-no-crossorigin-redirect.html

@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="../../../resources/js-test-pre.js"></script>
+    <script src="../../media-resources/media-file.js"></script>
+</head>
+<body>
+<pre id="console"></pre>
+<script>
+    description("Ensure that audio is not rendered when tainted by a remote audio resource when CORS is not enabled.");
+    window.jsTestIsAsync = true;
+
+    function go() {
+        let audio = new Audio();
+        let mediaFile = findMediaFile("audio", "../../media/resources/1000Hz-sin");
+        let type = mimeTypeForExtension(mediaFile.split('.').pop());
+        audio.src = "http://localhost:8080/security/resources/redirect-allow-star.php?url=" + encodeURIComponent("http://127.0.0.1:8080/security/resources/video-cross-origin-allow.php?name=" + mediaFile + "&type=" + type);
+
+        context = new AudioContext();
+        let mediaSource = context.createMediaElementSource(audio);
+        let analyser = context.createAnalyser();
+        analyser.fftSize = 32;
+
+        mediaSource.connect(analyser);
+
+        context.resume().then(() => {
+            audio.play();
+        });
+
+        window.outputArray = new Float32Array(analyser.frequencyBinCount);
+        window.silentArray = new Float32Array(analyser.frequencyBinCount);
+        silentArray.fill(-Infinity);
+
+        var intervalToken = setInterval(() => {
+            analyser.getFloatFrequencyData(outputArray);
+        }, 30);
+
+        audio.addEventListener("ended", event => {
+            clearInterval(intervalToken);
+            context.suspend().then(() => {
+                shouldBe("outputArray", "silentArray");
+                finishJSTest();
+            });
+        });
+    }
+    window.addEventListener('load', go);
+</script>
+<script src="../../../resources/js-test-post.js"></script>
+</body>
+</html>

LayoutTests/platform/win/TestExpectations

@@ -529,6 +529,10 @@ webkit.org/b/86914 fast/history/page-cache-closed-audiocontext.html [ Skip ]
 webkit.org/b/86914 fast/history/page-cache-running-audiocontext.html [ Skip ]
 webkit.org/b/86914 fast/history/page-cache-suspended-audiocontext.html [ Skip ]
 webkit.org/b/86914 media/W3C/audio [ Skip ]
+webkit.org/b/86914 http/tests/security/webaudio-render-remote-audio-allowed-crossorigin.html [ Skip ]
+webkit.org/b/86914 http/tests/security/webaudio-render-remote-audio-blocked-no-crossorigin.html [ Skip ]
+webkit.org/b/86914 http/tests/security/webaudio-render-remote-audio-allowed-crossorigin-redirect.html [ Skip ]
+webkit.org/b/86914 http/tests/security/webaudio-render-remote-audio-blocked-no-crossorigin-redirect.html [ Skip ]
 
 # ENABLE(DRAGGABLE_REGION) is disabled
 fast/css/draggable-region-parser.html [ Skip ]
@@ -4018,9 +4022,6 @@ webkit.org/b/185075 css3/color-filters/color-filter-inherits.html [ ImageOnlyFai
 webkit.org/b/185075 css3/color-filters/color-filter-outline.html [ ImageOnlyFailure ]
 webkit.org/b/185075 css3/color-filters/color-filter-text-emphasis.html [ ImageOnlyFailure ]
 
-webkit.org/b/185471 http/tests/security/webaudio-render-remote-audio-allowed-crossorigin.html [ Skip ]
-webkit.org/b/185471 http/tests/security/webaudio-render-remote-audio-blocked-no-crossorigin.html [ Skip ]
-
 webkit.org/b/185765 fast/images/animated-image-mp4-crash.html [ Skip ]
 
 webkit.org/b/185678 fast/css-generated-content/pseudo-animation.html [ Failure ]

Source/WebCore/ChangeLog

@@ -1,3 +1,23 @@
+2020-09-24  Chris Dumez  <[email protected]>
+
+        web audio api outputs silence for 302 redirected resource in safari
+        https://bugs.webkit.org/show_bug.cgi?id=214932
+        <rdar://problem/66300050>
+
+        Reviewed by Darin Adler.
+
+        If the resource is redirected to another origin, treat it as tainted only if the crossorigin attribute
+        is not set. This is done for consistency with Blink:
+        - https://github.com/chromium/chromium/blob/master/media/blink/webmediaplayer_impl.cc (see WouldTaintOrigin())
+
+        The new behavior also seems to match Firefox.
+
+        Tests: http/tests/security/webaudio-render-remote-audio-allowed-crossorigin-redirect.html
+               http/tests/security/webaudio-render-remote-audio-blocked-no-crossorigin-redirect.html
+
+        * Modules/webaudio/MediaElementAudioSourceNode.cpp:
+        (WebCore::MediaElementAudioSourceNode::wouldTaintOrigin):
+
 2020-09-24  Youenn Fablet  <[email protected]>
 
         Regression(r265280) Web Audio sources malfunction when disconnected from the audio graph

Source/WebCore/Modules/webaudio/MediaElementAudioSourceNode.cpp

@@ -123,7 +123,9 @@ void MediaElementAudioSourceNode::setFormat(size_t numberOfChannels, float sourc
 
 bool MediaElementAudioSourceNode::wouldTaintOrigin()
 {
-    if (!m_mediaElement->hasSingleSecurityOrigin())
+    // If the resource is redirected to another origin, treat it as tainted if the crossorigin attribute
+    // is not set. This is done for consistency with Blink.
+    if (!m_mediaElement->hasSingleSecurityOrigin() && m_mediaElement->crossOrigin().isNull())
         return true;
 
     if (m_mediaElement->didPassCORSAccessCheck())