Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Do Mobile Browsers send httpOnly cookies via the HTML5 Audio-Tag?

Tags:

mobile-browser

html5-audio

cookie-httponly

I try to play some mp3 files via the html5 audio-tag. For the desktop this works great (with Chrome), but when it comes to the mobile browsers (also Chrome (for Android)), there seem to be some difficulties:

I protected the stream with some password an therefore the streaming server needs to find a special authentification cookie (spring security remember-me). But somehow the mobile browser doesn't send this cookie when it accesses the mp3-stream via the audio tag. When I enter the stream URL directly to the address bar everything works just fine.

While I searched for the lost cookie I found out, that the mobile browser still sends some cookies (e.g. the JSESSIONID) but not all. Further investigations (quick PoC with PHP) revealed that the mobile browsern seems to refuse to send cookies via the audio-tag which have the HttpOnly Flag set. So my question is:

Is this a specified behaviour, why are there differences between the mobile and the desktop versions (of Chrome) and is there a way control the behaviour from the client side?

like image 856
JepZ Avatar asked Apr 30 '13 23:04

JepZ

1 Answers

By looking more deeply into the HTTP packages I found out, that the Android browser doesn't request the mp3-stream itself, but delegates this to stagefright (some android multimedia client). A quick search revealed, that for the old Android versions (before 4.0) stagefright cannot handle cookies:

  • https://code.google.com/p/android/issues/detail?id=17553 <-- (Status: spam) WTF...
  • https://code.google.com/p/android/issues/detail?id=17281
  • https://code.google.com/p/android/issues/detail?id=10567
  • https://code.google.com/p/android/issues/detail?id=19958

My own tests confirmed this. The old stagefright (Android 2.3.x) doesn't send any cookies at all, the stagefright from a european S3 (android 4.1.2, stagefright 1.2) sends only the the cookies which do NOT have the httpOnly flag.

So I think that everybody has to decide himself which solution he wants to use:

  • enable httpOnly: android has no access at all but its secure
  • disable httpOnly: less secure against XSS, but works for Android >4.0
  • disable cookie authentication at all: insecure but works for all

Note: The problem with simply disabling httpOnly is that you make your whole application vulnerable to cookie hijackers. Another possible solution would be to have a special rememberme cookie for the stream (without httpOnly) and another rememberme cookie with httpOnly enabled.

like image 111
JepZ Avatar answered Sep 24 '22 05:09

JepZ
Sign in to Comment

Related questions

Firefox HTML5 Audio: Media resource could not be decoded (OnMediaSinkAudioError)
Is there a way get something like decibel levels from an audio file and transform that information into a json array?
Creating a python audio player using QWebView and the HTML5 Audio API
Get audio samples from audio element
How to Pass Authorization Header in HTTP Request when using HTML5 Player (Audio tag) for security
Access binary data of <audio> src
Playing and recording audio in sync with getUserMedia/Web Audio API
Audio vs AudioContext
CloudStorageTools::serve() audio not playing on iOS
Play music from bytearray in html5
How to use Web Audio API to make sound like guitar, piano etc
Possible to analyze streaming audio from Icecast using Web Audio API and createMediaElementSource?
Record Audio on Website that works on all browsers and iOS
Start playing a loaded audio file in the middle with Chrome webkitAudioContext?
Web audio API: scheduling sounds and exporting the mix
Play WAV files in IE
Phonegap mixing audio files
CSS style <audio>

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!