Hi

On Wed, May 03, 2023 at 02:16:03PM +0300, Rémi Denis-Courmont wrote:
> Nit: different

fixed


> 
> But is there an actual threat model whence it is necessary or even useful for a media framework to implement origin policies? On top of my head, this can be used by content providers to prevent third parties from referencing their media files... but that seems user-hostile; it does not provide any security for the user of FFmpeg.
> 
> I could be wrong, but IMU, origin policy is meant to prevent harmful embedding of images and frames, and to prevent cross-site scripting, but FFmpeg doesn't support either if these anyway, so it's not concerned.

This patch was inspired by a report on ffmpeg-security about SSRF
(for which custom io_open() callback or soem sort of sandboxing/VM can be
 used to avoid it)
 The patch here was intended to explore if we can provide something thats
 better tahn currently by default
 
But the same issue with roles flipped occurs for the end user and the user cannot be expected
to setup a custom io_open() callback for his player
The current code can be also used to poke
around the local network of the user. Which is unexpected by the user
for example a avi file could be probed as a m3u8 playlist and then 
poke around on the local net while mixing that with remote urls
from the timing of the remote accesses the remote party should be able
to infer what happened with the local poking. Did it timeout? was
the access rejected ? was there a file that was read and probed/played ?

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Whats the most studid thing your enemy could do ? Blow himself up
Whats the most studid thing you could do ? Give up your rights and
freedom because your enemy blew himself up.