Bug 252755 - Media Source Extensions doesn't work in Iframe with Sandbox attribute.
Summary: Media Source Extensions doesn't work in Iframe with Sandbox attribute.
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: Safari 16
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-02-22 09:03 PST by Sebastian Arguello
Modified: 2023-03-02 09:22 PST (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Arguello 2023-02-22 09:03:42 PST 
Read access from Media Source from video element is incorrectly blocked inside iframe with Sandbox attribute, breaking the Media Source Extension (MSE) functionality.
As shown in the demo below, a stream is not needed to repro this error. Just by setting the video element to read from a Media Source is enough to get the error.


Iframe configuration: iframe, sandbox, allow-scripts.

Repro: https://jsfiddle.net/juqts7pb/

Error returned:
Not allowed to load local resource: blob:null/49224ea5-e3cd-4232-88d6-a35871f1c7dc

Expected behavior: MSE should work correctly inside Sandboxed iframes.

I was able to repro this on Safari on Mac and Ipad. Safari on Iphone doesn't support MSE.

Related bugs:

- https://bugs.webkit.org/show_bug.cgi?id=170075
- https://bugs.webkit.org/show_bug.cgi?id=222312
Comment 1 Radar WebKit Bug Importer 2023-03-01 09:04:15 PST 
<rdar://problem/106089796>
Comment 2 Sebastian Arguello 2023-03-02 09:22:26 PST 
Using video.srcObject = mediaSource; instead of video.src = URL.createObjectURL(mediaSource); works fine even in the iframe with sandbox attribute.
Not being familiar with WebKit code, it seems to me that reading from local url created for the media buffer gets incorrectly blocked as the iframe doesn't have an origin.