[Webkit-unassigned] [Bug 254120] New: REGRESSION (259626 at main, iOS 16.4): cnn.com auto-plays blank videos on all pages, in 3rd party browsers

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Mar 18 14:32:24 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=254120

            Bug ID: 254120
           Summary: REGRESSION (259626 at main, iOS 16.4): cnn.com auto-plays
                    blank videos on all pages, in 3rd party browsers
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Media
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ajuma at chromium.org
                CC: bfulgham at webkit.org, eric.carlson at apple.com,
                    jer.noble at apple.com, youennf at gmail.com

In iOS 16.4 beta 4, visiting cnn.com (either the main page, or any article on the site) will auto-load a blank video. This only reproduces in 3rd-party browsers on iOS, including Chrome, Firefox, and Edge.

I bisected this to https://commits.webkit.org/259626@main (bug 251372), which allows videos to auto-play using transient activation.

The problem with this approach is that 3rd-party browsers on iOS implement many features using JavaScript injection, and this implicitly injects a user gesture (there are no public API versions of evaluateJavaScript that don't inject a user gesture, though there are SPIs that do this).

So what's happening here is that cnn.com is (for whatever reason) trying to auto-play a blank video on page load, and this is disallowed in Safari (which isn't injecting JS with a user gesture) but allowed in third-party browsers (which are injecting JS using public APIs, which implicitly injects a user gesture).

In this particular case, an ideal fix would be for cnn.com to stop doing this, but I'm still concerned about such a high-profile site being broken this way, and also that malicious sites will start to take advantage of this and autoplay videos without a real user gesture in non-Safari browsers.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230318/19b9e208/attachment.htm>

More information about the webkit-unassigned mailing list