Bug 1933266 - Update domain allowlist for Widevine #3252
Conversation
uwsgi/admin.wsgi
Outdated
| @@ -34,6 +34,10 @@ DOMAIN_ALLOWLIST = { | |||
| "Widevine", | |||
| "Widevine-L1", | |||
| ), | |||
| "www.google.com": ( | |||
There was a problem hiding this comment.
This is a bit of a gaping hole in that Balrog would allow anything accessible through https://www.google.com to be served as a Widevine plugin... Is there any we can get a more scoped down domain for the mirrors? Or would that just end up with the same problem of things getting blocked?
There was a problem hiding this comment.
I could see how that might get abused, but part of the point is to use a domain that is unlikely to be blocked. The URL does have a set form though, perhaps I could extend the allowlisting to support partial URLs, e.g. https://www.google.com/dl/release2/chrome_component
There was a problem hiding this comment.
This seems to be the only place that uses the result directly, so I could change the format a bit to provide both domains and URLs:
Line 38 in b2d6bd3
If it doesn't match a domain, it can check to see if the URL matches one of the starting fragments instead. Change DOMAIN_ALLOWLIST to something like
DOMAIN_ALLOWLIST = {
"domains": {
// ... existing list
},
"urlFragments": {
"https://www.google.com/dl/release2/chrome_component": (
"Widevine",
"Widevine-L1",
)
},
}
There was a problem hiding this comment.
Or alternatively, something like, where the domain either just has the list of products straight up like now, or it provides an additional criteria of URL fragments that the URL path needs to match:
DOMAIN_ALLOWLIST = {
// ... existing list
"www.google.com": {
"dl/release2/chrome_component": (
"Widevine",
"Widevine-L1",
)
}
}
There was a problem hiding this comment.
I did a more advanced version of the latter and updated the PR. Now it can take in an optional fullmatch regex for the path to ensure more generic domains don't get abused. The regex for www.google.com should only allow us to access files from the chrome component update service.
aosmond
force-pushed
the
ao_gmp_google_allowlist
branch
from
f0cb94d to
a2fee56
Compare
aosmond
changed the title
aosmond
force-pushed
the
ao_gmp_google_allowlist
branch
from
a2fee56 to
b04c715
Compare
src/auslib/AUS.py
Outdated
| @@ -34,14 +35,29 @@ def isSpecialURL(url, specialForceHosts): | |||
| def isForbiddenUrl(url, product, allowlistedDomains): | |||
| if allowlistedDomains is None: | |||
| allowlistedDomains = [] | |||
| domain = urlparse(url)[1] | |||
| parsedUrl = urlparse(url) | |||
| domain = parsedUrl[1] | |||
There was a problem hiding this comment.
I realize that you're inheriting this, but it would be a good time to update this to use the named attributes that urlparse returns (it looks like you want .netloc and .path specifically).
There was a problem hiding this comment.
Sure, I noticed that from the docs, but chose to follow the convention set in the code. Fixed!
src/auslib/AUS.py
Outdated
| logging.warning("Forbidden domain for product %s: %s", product, domain) | ||
| return True | ||
| return False | ||
| elif isinstance(allowlistedDomain, object): |
There was a problem hiding this comment.
You want isinstance(allowlistedDomain, dict) here. (object is the base class of the class hierarchy, so this happens to work, but if there was another elif block afterwards there'd be a problem.)
aosmond
force-pushed
the
ao_gmp_google_allowlist
branch
from
b04c715 to
b04680c
Compare
No description provided.