Don't register WebM / MSE-AVF media players for GPU-process playback under MediaContainment

514ac25

WebKit splits media across the WebContent process (JS, demuxing), the GPU process (decoding, rendering), and a WebContent-side remote proxy (MediaPlayerPrivateRemote). When MediaContainment is enabled, WebM and MSE-AVF engines demux in WebContent and only the renderer lives in GPU, so instantiating the full MediaPlayerPrivate in GPU is both unnecessary and a defense-in-depth gap. Previously a single MESSAGE_CHECK in createMediaPlayer was the explicit IPC guard rejecting those instantiations; codec capability queries (canDecodeExtendedType) shared the same engine registry with no way to distinguish "can answer queries" from "can be instantiated for playback".

Source/WebCore/platform/graphics/MediaPlayerEnums.h

+enum class MediaPlayerScope : uint8_t {
+    Playback,
+    Supports,
+};

Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.cpp

-#if PLATFORM(COCOA)
-    MESSAGE_CHECK(!connection->sharedPreferencesForWebProcessValue().mediaContainmentEnabled
-        || engineIdentifier == MediaPlayerEnums::MediaEngineIdentifier::AVFoundation
-        || engineIdentifier == MediaPlayerEnums::MediaEngineIdentifier::WirelessPlayback);
-#endif
+    MESSAGE_CHECK(playbackEngineForConnection(engineIdentifier));

This commit replaces the hand-maintained allowlist with registry-based scope filtering. Each MediaPlayerPrivate now declares its own MediaPlayerScope (Playback vs Supports), and a new playbackEngineForConnection helper filters all GPU-process engine lookups by scope and MediaContainmentEnabled state, preventing WebM and MSE-AVF engines from being instantiated for GPU playback when MediaContainment is active while still letting them answer codec queries.

Significance

This restructures a GPU-process privilege boundary: the explicit MESSAGE_CHECK IPC guard is gone, replaced by an implicit registry contract that must be upheld correctly at every call site — a larger and more subtle attack surface.

Audit directions

Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaa Aaaaaaaaaaaa Aaaaaa Aaaaaaaaaa a Aa Aa Aaa Aa Aaa Aa Aaaa Aaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaa Aaa Aaa Aaaaaaa Aaaaaa Aaaaaaaaaa Aaaaaa Aa a Aaaaaaaaaa Aaaa Aaaaaaa Aaaaaaaaaaa Aaaaa Aaaaa Aaaaaaa Aaa Aaaaaaaaaaaa Aaaaa Aaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaa Aaaa Aaaaaaaaaa Aaa Aaa Aaaaaaaa Aaaaaaaa Aaaaaa Aaaaaaaa Aaa Aaaa Aaaa Aaaaaaaa Aa Aa Aaaaaaaa Aaaa Aaa Aaaaa Aaaaa Aaaaa Aaa Aaa Aaaaaaaaaaaaaaa Aaaaaaaa a Aaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaa Aaa Aaaaa Aaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaaa Aaaaaaaa Aaaaa a Aa Aaaaaa Aaaaaaaaa Aaaaa Aaaaaaa Aaaa Aaa Aaaaa Aaaaaaaaaa Aaaa Aaaaaaaaaaaaa Aaa Aaaaa Aaaaaa Aaaaaaaa Aaaaaaaaaa Aaaaaaaa Aaa Aaaaaaa Aaaaaaaaaaaa Aaaaaa Aaaaaaa Aaa Aaaaaaaaaaa Aaaaaa Aaaaaa Aaaa Aaaa Aaaa Aaa Aaaaaaaa Aaaaaaa Aa Aaa Aaaa Aaaaaaaaaa Aaaa Aaaaaaaa

🔒

The distributed registry contract replacing an explicit IPC guard has edge cases in scope handling and containment state propagation worth investigating.

Subscribe to read more