Bug 252755

Summary: Media Source Extensions doesn't work in Iframe with Sandbox attribute.
Product: WebKit Reporter: Sebastian Arguello <sarguellogos>
Component: FramesAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: eric.carlson, jean-yves.avenard, jer.noble, sarguellogos, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 16   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=170075
https://bugs.webkit.org/show_bug.cgi?id=222312

Description Sebastian Arguello 2023-02-22 09:03:42 PST 
Read access from Media Source from video element is incorrectly blocked inside iframe with Sandbox attribute, breaking the Media Source Extension (MSE) functionality.
As shown in the demo below, a stream is not needed to repro this error. Just by setting the video element to read from a Media Source is enough to get the error.


Iframe configuration: iframe, sandbox, allow-scripts.

Repro: https://jsfiddle.net/juqts7pb/

Error returned:
Not allowed to load local resource: blob:null/49224ea5-e3cd-4232-88d6-a35871f1c7dc

Expected behavior: MSE should work correctly inside Sandboxed iframes.

I was able to repro this on Safari on Mac and Ipad. Safari on Iphone doesn't support MSE.

Related bugs:

- https://bugs.webkit.org/show_bug.cgi?id=170075
- https://bugs.webkit.org/show_bug.cgi?id=222312
Comment 1 Radar WebKit Bug Importer 2023-03-01 09:04:15 PST 
<rdar://problem/106089796>
Comment 2 Sebastian Arguello 2023-03-02 09:22:26 PST 
Using video.srcObject = mediaSource; instead of video.src = URL.createObjectURL(mediaSource); works fine even in the iframe with sandbox attribute.
Not being familiar with WebKit code, it seems to me that reading from local url created for the media buffer gets incorrectly blocked as the iframe doesn't have an origin.