[Webkit-unassigned] [Bug 254120] New: REGRESSION (259626 at main, iOS 16.4): cnn.com auto-plays blank videos on all pages, in 3rd party browsers
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Mar 18 14:32:24 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=254120
Bug ID: 254120
Summary: REGRESSION (259626 at main, iOS 16.4): cnn.com auto-plays
blank videos on all pages, in 3rd party browsers
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Media
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ajuma at chromium.org
CC: bfulgham at webkit.org, eric.carlson at apple.com,
jer.noble at apple.com, youennf at gmail.com
In iOS 16.4 beta 4, visiting cnn.com (either the main page, or any article on the site) will auto-load a blank video. This only reproduces in 3rd-party browsers on iOS, including Chrome, Firefox, and Edge.
I bisected this to https://commits.webkit.org/259626@main (bug 251372), which allows videos to auto-play using transient activation.
The problem with this approach is that 3rd-party browsers on iOS implement many features using JavaScript injection, and this implicitly injects a user gesture (there are no public API versions of evaluateJavaScript that don't inject a user gesture, though there are SPIs that do this).
So what's happening here is that cnn.com is (for whatever reason) trying to auto-play a blank video on page load, and this is disallowed in Safari (which isn't injecting JS with a user gesture) but allowed in third-party browsers (which are injecting JS using public APIs, which implicitly injects a user gesture).
In this particular case, an ideal fix would be for cnn.com to stop doing this, but I'm still concerned about such a high-profile site being broken this way, and also that malicious sites will start to take advantage of this and autoplay videos without a real user gesture in non-Safari browsers.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230318/19b9e208/attachment.htm>
More information about the webkit-unassigned
mailing list