Bug 1706121 - part5 : prevent using MFCDM under the private browsing mode. r=media-playback-reviewers,padenot

For GMP CDM, we will use in-memory storage for it under the private
browsing mode, but we can't do that for MFCDM.

Therefore, we should disable it under the private browsing mode to
prevent any user data leak.

Differential Revision: https://phabricator.services.mozilla.com/D210070

dom/media/eme/KeySystemConfig.cpp

@@ -295,8 +295,8 @@ void KeySystemConfig::GetGMPKeySystemConfigs(dom::Promise* aPromise) {
       continue;
     }
 #endif
-    requests.AppendElement(
+    requests.AppendElement(KeySystemConfigRequest{
-        KeySystemConfigRequest{keySystem, DecryptionInfo::Software});
+        keySystem, DecryptionInfo::Software, false /* IsPrivateBrowsing */});
   }
 
   // Get supported configs

dom/media/eme/KeySystemConfig.h

@@ -202,10 +202,14 @@ struct KeySystemConfig {
 
 struct KeySystemConfigRequest final {
   KeySystemConfigRequest(const nsAString& aKeySystem,
-                         KeySystemConfig::DecryptionInfo aDecryption)
+                         KeySystemConfig::DecryptionInfo aDecryption,
-      : mKeySystem(aKeySystem), mDecryption(aDecryption) {}
+                         bool aIsPrivateBrowsing)
+      : mKeySystem(aKeySystem),
+        mDecryption(aDecryption),
+        mIsPrivateBrowsing(aIsPrivateBrowsing) {}
   const nsString mKeySystem;
   const KeySystemConfig::DecryptionInfo mDecryption;
+  const bool mIsPrivateBrowsing;
 };
 
 KeySystemConfig::SessionType ConvertToKeySystemConfigSessionType(

dom/media/eme/MediaKeySession.cpp

@@ -62,7 +62,11 @@ MediaKeySession::MediaKeySession(nsPIDOMWindowInner* aParent, MediaKeys* aKeys,
       mUninitialized(true),
       mKeyStatusMap(new MediaKeyStatusMap(aParent)),
       mExpiration(JS::GenericNaN()),
-      mHardwareDecryption(aHardwareDecryption) {
+      mHardwareDecryption(aHardwareDecryption),
+      mIsPrivateBrowsing(
+          aParent->GetExtantDoc() &&
+          aParent->GetExtantDoc()->NodePrincipal()->GetPrivateBrowsingId() >
+              0) {
   EME_LOG("MediaKeySession[%p,''] ctor", this);
 
   MOZ_ASSERT(aParent);
@@ -250,8 +254,8 @@ already_AddRefed<Promise> MediaKeySession::GenerateRequest(
   // cdm implementation value does not support initDataType as an
   // Initialization Data Type, return a promise rejected with a
   // NotSupportedError. String comparison is case-sensitive.
-  MediaKeySystemAccess::KeySystemSupportsInitDataType(mKeySystem, aInitDataType,
+  MediaKeySystemAccess::KeySystemSupportsInitDataType(
-                                                      mHardwareDecryption)
+      mKeySystem, aInitDataType, mHardwareDecryption, mIsPrivateBrowsing)
       ->Then(GetMainThreadSerialEventTarget(), __func__,
              [self = RefPtr<MediaKeySession>{this}, this,
               initDataType = nsString{aInitDataType},

dom/media/eme/MediaKeySession.h

@@ -141,6 +141,9 @@ class MediaKeySession final : public DOMEventTargetHelper,
 
   // True if this key session is related with hardware decryption.
   bool mHardwareDecryption;
+
+  // True if this media key session is created under a private browsing mode.
+  const bool mIsPrivateBrowsing;
 };
 
 }  // namespace dom

dom/media/eme/MediaKeySystemAccess.cpp

@@ -233,14 +233,15 @@ static KeySystemConfig::EMECodecString ToEMEAPICodecString(
 
 static RefPtr<KeySystemConfig::SupportedConfigsPromise>
 GetSupportedKeySystemConfigs(const nsAString& aKeySystem,
-                             bool aIsHardwareDecryption) {
+                             bool aIsHardwareDecryption,
+                             bool aIsPrivateBrowsing) {
   using DecryptionInfo = KeySystemConfig::DecryptionInfo;
   nsTArray<KeySystemConfigRequest> requests;
 
   // Software Widevine and Clearkey
   if (IsWidevineKeySystem(aKeySystem) || IsClearkeyKeySystem(aKeySystem)) {
-    requests.AppendElement(
+    requests.AppendElement(KeySystemConfigRequest{
-        KeySystemConfigRequest{aKeySystem, DecryptionInfo::Software});
+        aKeySystem, DecryptionInfo::Software, aIsPrivateBrowsing});
   }
 #ifdef MOZ_WMF_CDM
   if (IsPlayReadyEnabled()) {
@@ -249,21 +250,21 @@ GetSupportedKeySystemConfigs(const nsAString& aKeySystem,
         aKeySystem.EqualsLiteral(kPlayReadyKeySystemHardware)) {
       requests.AppendElement(
           KeySystemConfigRequest{NS_ConvertUTF8toUTF16(kPlayReadyKeySystemName),
-                                 DecryptionInfo::Software});
+                                 DecryptionInfo::Software, aIsPrivateBrowsing});
       if (aIsHardwareDecryption) {
         requests.AppendElement(KeySystemConfigRequest{
             NS_ConvertUTF8toUTF16(kPlayReadyKeySystemName),
-            DecryptionInfo::Hardware});
+            DecryptionInfo::Hardware, aIsPrivateBrowsing});
         requests.AppendElement(KeySystemConfigRequest{
             NS_ConvertUTF8toUTF16(kPlayReadyKeySystemHardware),
-            DecryptionInfo::Hardware});
+            DecryptionInfo::Hardware, aIsPrivateBrowsing});
       }
     }
     // PlayReady clearlead
     if (aKeySystem.EqualsLiteral(kPlayReadyHardwareClearLeadKeySystemName)) {
       requests.AppendElement(KeySystemConfigRequest{
           NS_ConvertUTF8toUTF16(kPlayReadyHardwareClearLeadKeySystemName),
-          DecryptionInfo::Hardware});
+          DecryptionInfo::Hardware, aIsPrivateBrowsing});
     }
   }
 
@@ -273,13 +274,13 @@ GetSupportedKeySystemConfigs(const nsAString& aKeySystem,
         (IsWidevineKeySystem(aKeySystem) && aIsHardwareDecryption)) {
       requests.AppendElement(KeySystemConfigRequest{
           NS_ConvertUTF8toUTF16(kWidevineExperimentKeySystemName),
-          DecryptionInfo::Hardware});
+          DecryptionInfo::Hardware, aIsPrivateBrowsing});
     }
     // Widevine clearlead
     if (aKeySystem.EqualsLiteral(kWidevineExperiment2KeySystemName)) {
       requests.AppendElement(KeySystemConfigRequest{
           NS_ConvertUTF8toUTF16(kWidevineExperiment2KeySystemName),
-          DecryptionInfo::Hardware});
+          DecryptionInfo::Hardware, aIsPrivateBrowsing});
     }
   }
 #endif
@@ -289,10 +290,11 @@ GetSupportedKeySystemConfigs(const nsAString& aKeySystem,
 /* static */
 RefPtr<GenericPromise> MediaKeySystemAccess::KeySystemSupportsInitDataType(
     const nsAString& aKeySystem, const nsAString& aInitDataType,
-    bool aIsHardwareDecryption) {
+    bool aIsHardwareDecryption, bool aIsPrivateBrowsing) {
   RefPtr<GenericPromise::Private> promise =
       new GenericPromise::Private(__func__);
-  GetSupportedKeySystemConfigs(aKeySystem, aIsHardwareDecryption)
+  GetSupportedKeySystemConfigs(aKeySystem, aIsHardwareDecryption,
+                               aIsPrivateBrowsing)
       ->Then(GetMainThreadSerialEventTarget(), __func__,
              [promise, initDataType = nsString{std::move(aInitDataType)}](
                  const KeySystemConfig::SupportedConfigsPromise::
@@ -1068,7 +1070,7 @@ MediaKeySystemAccess::GetSupportedConfig(MediaKeySystemAccessRequest* aRequest,
   RefPtr<KeySystemConfig::KeySystemConfigPromise::Private> promise =
       new KeySystemConfig::KeySystemConfigPromise::Private(__func__);
   GetSupportedKeySystemConfigs(aRequest->mKeySystem,
-                               isHardwareDecryptionRequest)
+                               isHardwareDecryptionRequest, aIsPrivateBrowsing)
       ->Then(GetMainThreadSerialEventTarget(), __func__,
              [promise, aRequest, document = RefPtr<const Document>{aDocument}](
                  const KeySystemConfig::SupportedConfigsPromise::

dom/media/eme/MediaKeySystemAccess.h

@@ -66,7 +66,7 @@ class MediaKeySystemAccess final : public nsISupports, public nsWrapperCache {
 
   static RefPtr<GenericPromise> KeySystemSupportsInitDataType(
       const nsAString& aKeySystem, const nsAString& aInitDataType,
-      bool aIsHardwareDecryption);
+      bool aIsHardwareDecryption, bool aIsPrivateBrowsing);
 
   static nsCString ToCString(
       const Sequence<MediaKeySystemConfiguration>& aConfig);

dom/media/eme/mediafoundation/WMFCDMImpl.cpp

@@ -60,7 +60,8 @@ WMFCDMCapabilites::GetCapabilities(
     RefPtr<MFCDMChild> cdm = new MFCDMChild(request.mKeySystem);
     promises.AppendElement(cdm->GetCapabilities(MFCDMCapabilitiesRequest{
         nsString{request.mKeySystem},
-        request.mDecryption == KeySystemConfig::DecryptionInfo::Hardware}));
+        request.mDecryption == KeySystemConfig::DecryptionInfo::Hardware,
+        request.mIsPrivateBrowsing}));
     mCDMs.AppendElement(std::move(cdm));
   }
 

dom/media/ipc/MFCDMParent.cpp

@@ -774,6 +774,12 @@ void MFCDMParent::GetCapabilities(const nsString& aKeySystem,
     return;
   }
 
+  // MFCDM requires persistent storage, and can't use in-memory storage, it
+  // can't be used in private browsing.
+  if (aFlags.contains(CapabilitesFlag::IsPrivateBrowsing)) {
+    return;
+  }
+
   ComPtr<IMFContentDecryptionModuleFactory> factory = aFactory;
   if (!factory) {
     RETURN_VOID_IF_FAILED(GetOrCreateFactory(aKeySystem, factory));
@@ -1005,6 +1011,9 @@ mozilla::ipc::IPCResult MFCDMParent::RecvGetCapabilities(
   if (RequireClearLead(aRequest.keySystem())) {
     flags += CapabilitesFlag::NeedClearLeadCheck;
   }
+  if (aRequest.isPrivateBrowsing()) {
+    flags += CapabilitesFlag::IsPrivateBrowsing;
+  }
   GetCapabilities(aRequest.keySystem(), flags, mFactory.Get(), capabilities);
   aResolver(std::move(capabilities));
   return IPC_OK();

dom/media/ipc/MFCDMParent.h

@@ -102,6 +102,7 @@ class MFCDMParent final : public PMFCDMParent {
     HarewareDecryption,
     NeedHDCPCheck,
     NeedClearLeadCheck,
+    IsPrivateBrowsing,
   };
   using CapabilitesFlagSet = EnumSet<CapabilitesFlag, uint8_t>;
 

dom/media/ipc/PMFCDM.ipdl

@@ -100,6 +100,7 @@ union MFCDMSessionResult {
 struct MFCDMCapabilitiesRequest {
   nsString keySystem;
   bool isHardwareDecryption;
+  bool isPrivateBrowsing;
 };
 
 [ManualDealloc]