[Webkit-unassigned] [Bug 178551] PLaying HLS on HTML5 doesn't respect cookies from another domain

Fri Oct 20 12:03:03 PDT 2017

https://bugs.webkit.org/show_bug.cgi?id=178551

--- Comment #5 from ealarcon at altavoz.net ---
(In reply to Jer Noble from comment #4)
> (In reply to ealarcon from comment #3)
> > (In reply to Jer Noble from comment #2)
> > > (In reply to ealarcon from comment #0)
> > > > The new third party policy of cookies, blocks all cookies from a third party
> > > > media server, making it impossible to track the state of the player.
> > > > 
> > > > The RFC specifically states:
> > > > 
> > > >    HTTP requests often include session state ("cookies"), which may
> > > >    contain private user data.  Implementations MUST follow cookie
> > > >    restriction and expiry rules specified by "HTTP State Management
> > > >    Mechanism" [RFC6265] to protect themselves from attack.  See also the
> > > >    Security Considerations section of that document, and "Use of HTTP
> > > >    State Management" [RFC2964].
> > > > 
> > > > Besides still not supporting MSE.
> > > 
> > > Can you provide a test case?  And is this behavior any different for image
> > > resources?
> > 
> > Hello, i've created a demo for testing:
> > 
> > http://www.altavoz.net/hls_test/
> > 
> > If you try it, the player will play for about 15 seconds before coming to a
> > stop, this is because the state cookies that the media server sets up for
> > the player are ignored and not returned, so the media server doesn't know if
> > the player is working.
> > The media server is in another domain, so i expected the cookies to be kept
> > only for the playing session, and then erased.
> > I've made the test of visiting de media server "home" and then going back to
> > the site with the embedded media, and it plays fine but makes it impossible
> > to use the media content on multiples sites and have a central media server.
> 
> Are you looking for the cookies on the request for the .m3u8, or for the
> requests on each of the .ts segments?

I'm looking for the cookies on the requests for the m3u8, i haven't checked on the segments, at this time the segments doesn't need cookies

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171020/24303c99/attachment.html>