diff --git a/pkgs/applications/networking/browsers/chromium/browser.nix b/pkgs/applications/networking/browsers/chromium/browser.nix
index 8bdb33ed5d22..ad7fa78527cd 100644
--- a/pkgs/applications/networking/browsers/chromium/browser.nix
+++ b/pkgs/applications/networking/browsers/chromium/browser.nix
@@ -1,4 +1,4 @@
-{ stdenv, mkChromiumDerivation, channel }:
+{ stdenv, mkChromiumDerivation, channel, enableWideVine }:
 
 with stdenv.lib;
 
@@ -18,11 +18,6 @@ mkChromiumDerivation (base: rec {
     cp -vLR "$buildPath/locales" "$buildPath/resources" "$libExecPath/"
     cp -v "$buildPath/chrome" "$libExecPath/$packageName"
 
-    if [ -e "$buildPath/libwidevinecdmadapter.so" ]; then
-      cp -v "$buildPath/libwidevinecdmadapter.so" \
-            "$libExecPath/libwidevinecdmadapter.so"
-    fi
-
     mkdir -p "$sandbox/bin"
     cp -v "$buildPath/chrome_sandbox" "$sandbox/bin/${sandboxExecutableName}"
 
@@ -67,7 +62,7 @@ mkChromiumDerivation (base: rec {
     description = "An open source web browser from Google";
     homepage = http://www.chromium.org/;
     maintainers = with maintainers; [ bendlas ivan ];
-    license = licenses.bsd3;
+    license = if enableWideVine then licenses.unfree else licenses.bsd3;
     platforms = platforms.linux;
     hydraPlatforms = if channel == "stable" then ["aarch64-linux" "x86_64-linux"] else [];
     timeout = 172800; # 48 hours
diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index a3645e97e255..6d43c313cc02 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -24,7 +24,6 @@
 
 # package customization
 , enableNaCl ? false
-, enableWideVine ? false
 , useVaapi ? false
 , gnomeSupport ? false, gnome ? null
 , gnomeKeyringSupport ? false, libgnome-keyring3 ? null
@@ -133,11 +132,12 @@ let
       ++ optional pulseSupport libpulseaudio
       ++ optional (versionAtLeast version "72") jdk.jre;
 
-    patches = optional enableWideVine ./patches/widevine.patch ++ [
+    patches = [
       ./patches/nix_plugin_paths_68.patch
       ./patches/remove-webp-include-69.patch
       ./patches/jumbo-sorted.patch
       ./patches/no-build-timestamps.patch
+      ./patches/widevine.patch
 
       # Unfortunately, chromium regularly breaks on major updates and
       # then needs various patches backported in order to be compiled with GCC.
@@ -235,7 +235,7 @@ let
       use_gnome_keyring = gnomeKeyringSupport;
       use_gio = gnomeSupport;
       enable_nacl = enableNaCl;
-      enable_widevine = enableWideVine;
+      enable_widevine = true;
       use_cups = cupsSupport;
 
       treat_warnings_as_errors = false;
diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index 3178e2595fc5..f099ddbff737 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -2,6 +2,8 @@
 , makeWrapper, ed
 , glib, gtk3, gnome3, gsettings-desktop-schemas
 , libva ? null
+, gcc, nspr, nss, patchelfUnstable, runCommand
+, lib
 
 # package customization
 , channel ? "stable"
@@ -34,23 +36,76 @@ in let
     mkChromiumDerivation = callPackage ./common.nix {
       inherit enableNaCl gnomeSupport gnome
               gnomeKeyringSupport proprietaryCodecs cupsSupport pulseSupport
-              useVaapi
-              enableWideVine;
+              useVaapi;
     };
 
-    browser = callPackage ./browser.nix { inherit channel; };
+    browser = callPackage ./browser.nix { inherit channel enableWideVine; };
 
     plugins = callPackage ./plugins.nix {
-      inherit enablePepperFlash enableWideVine;
+      inherit enablePepperFlash;
     };
   };
 
+  mkrpath = p: "${lib.makeSearchPathOutput "lib" "lib64" p}:${lib.makeLibraryPath p}";
+  widevine = let upstream-info = chromium.upstream-info; in stdenv.mkDerivation {
+    name = "chromium-binary-plugin-widevine";
+
+    src = upstream-info.binary;
+
+    nativeBuildInputs = [ patchelfUnstable ];
+
+    phases = [ "unpackPhase" "patchPhase" "installPhase" "checkPhase" ];
+
+    unpackCmd = let
+      chan = if upstream-info.channel == "dev"    then "chrome-unstable"
+        else if upstream-info.channel == "stable" then "chrome"
+        else if upstream-info.channel == "beta" then "chrome-beta"
+        else throw "Unknown chromium channel.";
+    in ''
+      mkdir -p plugins
+      ar p "$src" data.tar.xz | tar xJ -C plugins --strip-components=4 \
+        ./opt/google/${chan}/libwidevinecdm.so
+    '';
+
+    doCheck = true;
+    checkPhase = ''
+      ! find -iname '*.so' -exec ldd {} + | grep 'not found'
+    '';
+
+    PATCH_RPATH = mkrpath [ gcc.cc glib nspr nss ];
+
+    patchPhase = ''
+      patchelf --set-rpath "$PATCH_RPATH" libwidevinecdm.so
+    '';
+
+    installPhase = ''
+      install -vD libwidevinecdm.so \
+        "$out/lib/libwidevinecdm.so"
+    '';
+
+    meta.platforms = lib.platforms.x86_64;
+  };
+
   suffix = if channel != "stable" then "-" + channel else "";
 
   sandboxExecutableName = chromium.browser.passthru.sandboxExecutableName;
 
   version = chromium.browser.version;
 
+  # This is here because we want to add the widevine shared object at the last
+  # minute in order to avoid a full rebuild of chromium. Additionally, this
+  # isn't in `browser.nix` so we can avoid having to re-expose attributes of
+  # the chromium derivation (see above: we introspect `sandboxExecutableName`).
+  chromiumWV = let browser = chromium.browser; in if enableWideVine then
+    runCommand (browser.name + "-wv") { version = browser.version; }
+      ''
+        mkdir -p $out
+        cp -R ${browser}/* $out/
+        chmod u+w $out/libexec/chromium*
+        cp ${widevine}/lib/libwidevinecdm.so $out/libexec/chromium/
+        # patchelf?
+      ''
+    else browser;
 in stdenv.mkDerivation {
   name = "chromium${suffix}-${version}";
   inherit version;
@@ -68,7 +123,7 @@ in stdenv.mkDerivation {
   outputs = ["out" "sandbox"];
 
   buildCommand = let
-    browserBinary = "${chromium.browser}/libexec/chromium/chromium";
+    browserBinary = "${chromiumWV}/libexec/chromium/chromium";
     getWrapperFlags = plugin: "$(< \"${plugin}/nix-support/wrapper-flags\")";
     libPath = stdenv.lib.makeLibraryPath ([]
       ++ stdenv.lib.optional useVaapi libva
@@ -113,13 +168,7 @@ in stdenv.mkDerivation {
   '';
 
   inherit (chromium.browser) packageName;
-  meta = chromium.browser.meta // {
-    broken = if enableWideVine then
-          builtins.trace "WARNING: WideVine is not functional, please only use for testing"
-             true
-        else false;
-  };
-
+  meta = chromium.browser.meta;
   passthru = {
     inherit (chromium) upstream-info browser;
     mkDerivation = chromium.mkChromiumDerivation;
diff --git a/pkgs/applications/networking/browsers/chromium/patches/widevine.patch b/pkgs/applications/networking/browsers/chromium/patches/widevine.patch
index 90a13928e3bd..2de6024141d7 100644
--- a/pkgs/applications/networking/browsers/chromium/patches/widevine.patch
+++ b/pkgs/applications/networking/browsers/chromium/patches/widevine.patch
@@ -1,16 +1,24 @@
-Minimal WideVine patch from Gentoo:
+Description: enable widevine and set its version string to "undefined"
+Author: Michael Gilbert <mgilbert@debian.org>
+Author: Olivier Tilloy <olivier.tilloy@canonical.com>
 
-https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium/files/chromium-widevine-r1.patch
-
-BTS: https://bugs.gentoo.org/show_bug.cgi?id=547630
-
---- a/third_party/widevine/cdm/stub/widevine_cdm_version.h
-+++ b/third_party/widevine/cdm/stub/widevine_cdm_version.h
-@@ -10,6 +10,7 @@
- 
- #include "third_party/widevine/cdm/widevine_cdm_common.h"
- 
-+#define WIDEVINE_CDM_VERSION_STRING "unknown"
- #define WIDEVINE_CDM_AVAILABLE
+--- a/third_party/widevine/cdm/widevine_cdm_version.h
++++ b/third_party/widevine/cdm/widevine_cdm_version.h
+@@ -11,5 +11,6 @@
+ // If the Widevine CDM is available define the following:
+ //  - WIDEVINE_CDM_VERSION_STRING (with the version of the CDM that's available
+ //    as a string, e.g., "1.0.123.456").
++#define WIDEVINE_CDM_VERSION_STRING "undefined"
  
  #endif  // WIDEVINE_CDM_VERSION_H_
+--- a/chrome/common/chrome_content_client.cc
++++ b/chrome/common/chrome_content_client.cc
+@@ -99,7 +99,7 @@
+ // Registers Widevine CDM if Widevine is enabled, the Widevine CDM is
+ // bundled and not a component. When the Widevine CDM is a component, it is
+ // registered in widevine_cdm_component_installer.cc.
+-#if BUILDFLAG(BUNDLE_WIDEVINE_CDM) && !BUILDFLAG(ENABLE_WIDEVINE_CDM_COMPONENT)
++#if !BUILDFLAG(ENABLE_WIDEVINE_CDM_COMPONENT)
+ #define REGISTER_BUNDLED_WIDEVINE_CDM
+ #include "third_party/widevine/cdm/widevine_cdm_common.h"  // nogncheck
+ // TODO(crbug.com/663554): Needed for WIDEVINE_CDM_VERSION_STRING. Support
diff --git a/pkgs/applications/networking/browsers/chromium/plugins.nix b/pkgs/applications/networking/browsers/chromium/plugins.nix
index b356f809f03c..a80210542c53 100644
--- a/pkgs/applications/networking/browsers/chromium/plugins.nix
+++ b/pkgs/applications/networking/browsers/chromium/plugins.nix
@@ -6,7 +6,6 @@
 , fetchzip
 , patchelfUnstable
 , enablePepperFlash ? false
-, enableWideVine ? false
 
 , upstream-info
 }:
@@ -44,60 +43,6 @@ let
     echo ${toString quoted} > "''$${output}/nix-support/wrapper-flags"
   '';
 
-  widevine = stdenv.mkDerivation {
-    name = "chromium-binary-plugin-widevine";
-
-    src = upstream-info.binary;
-
-    nativeBuildInputs = [ patchelfUnstable ];
-
-    phases = [ "unpackPhase" "patchPhase" "installPhase" "checkPhase" ];
-
-    unpackCmd = let
-      chan = if upstream-info.channel == "dev"    then "chrome-unstable"
-        else if upstream-info.channel == "stable" then "chrome"
-        else "chrome-${upstream-info.channel}";
-    in ''
-      mkdir -p plugins
-      ar p "$src" data.tar.xz | tar xJ -C plugins --strip-components=4 \
-        ./opt/google/${chan}/libwidevinecdm.so \
-        ./opt/google/${chan}/libwidevinecdmadapter.so
-    '';
-
-    doCheck = true;
-    checkPhase = ''
-      ! find -iname '*.so' -exec ldd {} + | grep 'not found'
-    '';
-
-    PATCH_RPATH = mkrpath [ gcc.cc glib nspr nss ];
-
-    patchPhase = ''
-      chmod +x libwidevinecdm.so libwidevinecdmadapter.so
-      patchelf --set-rpath "$PATCH_RPATH" libwidevinecdm.so
-      patchelf --set-rpath "$out/lib:$PATCH_RPATH" libwidevinecdmadapter.so
-    '';
-
-    installPhase = let
-      wvName = "Widevine Content Decryption Module";
-      wvDescription = "Playback of encrypted HTML audio/video content";
-      wvMimeTypes = "application/x-ppapi-widevine-cdm";
-      wvModule = "@out@/lib/libwidevinecdmadapter.so";
-      wvInfo = "#${wvName}#${wvDescription};${wvMimeTypes}";
-    in ''
-      install -vD libwidevinecdm.so \
-        "$out/lib/libwidevinecdm.so"
-      install -vD libwidevinecdmadapter.so \
-        "$out/lib/libwidevinecdmadapter.so"
-
-      ${mkPluginInfo {
-        flags = [ "--register-pepper-plugins=${wvModule}${wvInfo}" ];
-        envVars.NIX_CHROMIUM_PLUGIN_PATH_WIDEVINE = "@out@/lib";
-      }}
-    '';
-
-    meta.platforms = platforms.x86_64;
-  };
-
   flash = stdenv.mkDerivation rec {
     pname = "flashplayer-ppapi";
     version = "32.0.0.255";
@@ -140,6 +85,5 @@ let
   };
 
 in {
-  enabled = optional enableWideVine widevine
-         ++ optional enablePepperFlash flash;
+  enabled = optional enablePepperFlash flash;
 }