Hacker News new | ask | show | jobs
by duckerude 1950 days ago
> domain.endsWith("hulu.com")

Huh, does that mean it would also apply on "thisisnothulu.com"?

Most other endsWith calls seem to do e.g. `domain.endsWith(".hulu.com")` to only match subdomains.
4 comments
Sephr 1950 days ago
This is to enable Safari's legacy EME implementation. I wonder if there are any vulnerabilities waiting in those unmaintained legacy codepaths

https://github.com/WebKit/webkit/blob/master/Source/WebCore/...

I first noticed this bug a year ago last February and it's been unchanged ever since.

link
richdougherty 1949 days ago
Definitely a vulnerability there exploitable in concert with the error in the domain name check.
link
dillondoyle 1949 days ago
good catch.

just on a quick glance a few lines above might possibly be a good vector to test for ads to get around autoplay sound restrictions. make a domain ending with somethingnetflix.com, iframe it, and maybe figure out if the second link below has a class that allows override to allow autoplay sound without user interaction to something like kWKWebsiteAutoplayPolicyAllow with sound on.

https://github.com/WebKit/WebKit/blob/f43587ec2416b86eecef50... https://github.com/WebKit/WebKit/blob/88278b55563e5ccdc0b341...

link
richdougherty 1949 days ago
I've created a WebKit bug report for this so they can fix it.

https://bugs.webkit.org/show_bug.cgi?id=222130

link
Sayrus 1950 days ago
Damn, it seems you're right and it applies to any domain ending with this instead of hulu.com subdomains.

From the name of the quirk, I'm not sure this is an issue though.

link