AvCliper - Security Issue

Question

AvCliper - Security Issue

Closed this issue 14 days ago · 9 comments

Hi,

I recently upgraded to the latest av-cliper (from [0.13.6] - [0.14.14]) and am not getting a security error that I wasn't previously getting:

This seems to be happening when calling init on the log.ts. Not sure what's breaking this for me, I'm using the MP4Clip pretty much the same as described in your documents:

     const resp1 = await fetch(src);
     const videoClip = new MP4Clip(resp1.body);
     await videoClip.ready; 
     return videoClip;

But it seems to be throwing on the ready.

For reference I'm using the dist of av-clipper.js in an MVC environment hosted with IIS. Given the updates you've made since [0.13.6] I'd be keen to get this later version working so any ideas/suggestions would be most helpful.

Thanks

Answer 1 · 2024-08-20T03:05:23.000Z

I found a similar issue; you might want to try it out to see if it solves your problem.
https://stackoverflow.com/questions/70811129/securityerror-failed-to-read-the-localstorage-property-from-window-access

Answer 2 · 2024-08-20T08:14:12.000Z

I did try this, had a good look around before reaching out to you, the library writes to local storage fine on the older version, but from [0.13.10] onwards it just stops working, I can't really see any massive differences in the code that is calling into opfs, so it could be something odd in the dependency.

Answer 3 · 2024-08-20T08:48:38.000Z

WebAV v0.13.10 has been updated to depend on opfs-tools v0.5.8, and opfs-tools has been upgraded to rely on vite v5.3.4. The corresponding PR for vite can be found here: vite#17509.

The purpose of these upgrades is to resolve the issue where av-cliper couldn't run in a Worker.

Could you provide a reproducible demo?

Answer 4 · 2024-08-20T10:02:54.000Z

Sure, a very very simple reproduction is here, stackblitz-demo.

All this is doing is loading an MP4Clip and adding it to a map to be accessed for decoding later, I could expand this if required but the exception does appear here.

It seems to be failing inside the worker, it is possible that this is only an issue in a vanilla JS world and in react this might not happen but the project I'm working on is deeply rooted in .NET MVC (classic might I add...) that I'm limited in regartds to chaning this.

Answer 5 · 2024-08-21T02:17:21.000Z

I couldn't reproduce the security error in the demo.

but the project I'm working on is deeply rooted in .NET MVC

It might be a limitation of the JavaScript runtime environment, rather than a bug in WebAV or opfs-tools.

Answer 6 · 2024-08-21T08:26:25.000Z

That's strange as I'm seeing it clearly in the demo, in both chrome and edge I might add, so nothing to to with browser or cookies:

This should also rule out the environmental issues as well.

Answer 7 · 2024-08-21T12:22:49.000Z

Please use an HTTPS video resource for testing.

Answer 8 · 2024-08-21T20:02:19.000Z

Good catch.

Amended demo: stackblitz

Answer 9 · 2024-08-28T02:26:05.000Z

The screenshot indicates that the video file was successfully parsed.

I am unable to reproduce the reported error. This issue will be suspended for a period of time, and if no other reports are received, it will be closed.