CORS Security Flaw with HTMLMediaElement for WebGL
| Originator: | electroteque | ||
| Number: | rdar://24641824 | Date Originated: | 13/2/2016 |
| Status: | Open | Resolved: | No |
| Product: | Safari | Product Version: | |
| Classification: | Serious | Reproducible: | Always |
Summary: Hi there please hear me out because this should take priority if you ever want VR mainstream on Safari and IOS. Safari on IOS and OSX have a severe flaws with CORS security for html5 video which is completely crippling Webgl and therefore VR video support. It has been like this for years . There is a webkit issue for this but they have treated it with nothing but contempt. It has been sitting there since July 2014 with nobody assigned to it. Also we need a way to get video playing inline on Iphone to display the Webgl canvas. Even with CORS support finally added in that doesn't need dodgy reverse proxy hacks Iphone will be completely useless for WebVR until it can play inline. https://bugs.webkit.org/show_bug.cgi?id=135379 Steps to Reproduce: https://jsfiddle.net/0agb03Ld/17/ Expected Results: Needs to handle video.crossOrigin = "anonymous"; Actual Results: Cross domain security errors Version: OSX / IOS Notes: The work around is evident on my VR video demo page. It requires an Nginx or Apache reverse proxy to the video stored on cloudfront. This is bad for production purposes and will not scale. I have a similar solution for 2D canvas drawing but loading one frame of a video is different to playback. https://flowplayer.electroteque.org/vr360/fp6 https://flowplayer.electroteque.org/snapshot/fp6
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!