From 855a412394c37da62b7415fad9e323bfbf645036 Mon Sep 17 00:00:00 2001
From: Fedor <fedor@mail.ru>
Date: Wed, 9 Sep 2020 17:29:46 +0300
Subject: [PATCH] [media] Only include source error details in debugging
 scenarios.

---
 dom/html/HTMLMediaElement.cpp | 14 +++++++++++++-
 modules/libpref/init/all.js   |  9 +++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/dom/html/HTMLMediaElement.cpp b/dom/html/HTMLMediaElement.cpp
index cbb86edac..c7306b98e 100644
--- a/dom/html/HTMLMediaElement.cpp
+++ b/dom/html/HTMLMediaElement.cpp
@@ -9,6 +9,7 @@
 #include "mozilla/dom/HTMLSourceElement.h"
 #include "mozilla/dom/ElementInlines.h"
 #include "mozilla/dom/Promise.h"
+#include "mozilla/Preferences.h"
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/MathAlgorithms.h"
 #include "mozilla/AsyncEventDispatcher.h"
@@ -1245,7 +1246,18 @@ void HTMLMediaElement::NoSupportedMediaSourceError(const nsACString& aErrorDetai
   if (mDecoder) {
     ShutdownDecoder();
   }
-  mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, aErrorDetails);
+
+  // aErrorDetails can include sensitive details like MimeType or HTTP Status
+  // Code. We should not leak this and pass a Generic Error Message unless the
+  // user has explicitly enabled error reporting for debugging purposes.
+  bool reportDetails = Preferences::GetBool("media.sourceErrorDetails.enabled", false);
+  if (reportDetails) {
+    mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, aErrorDetails);
+  } else {
+    mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED,
+                         NS_LITERAL_CSTRING("Failed to open media"));
+  }
+
   ChangeDelayLoadStatus(false);
   UpdateAudioChannelPlayingState();
   RejectPromises(TakePendingPlayPromises(), NS_ERROR_DOM_MEDIA_NOT_SUPPORTED_ERR);
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 5515f9916..068bb1bd4 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -5432,3 +5432,12 @@ pref("prompts.authentication_dialog_abuse_limit", 0);
 
 // Whether module scripts (<script type="module">) are enabled for content.
 pref("dom.moduleScripts.enabled", true);
+
+// Report details when a media source error occurs?
+// Enabled by default in debug builds, otherwise should be explicitly enabled
+// by the user to prevent XO leaking of the response status (CVE-2020-15666)
+#ifdef DEBUG
+pref("media.sourceErrorDetails.enabled", true);
+#else
+pref("media.sourceErrorDetails.enabled", false);
+#endif