W3C home > Mailing lists > Public > public-audio@w3.org > July to September 2013

Re: MediaElementAudioSourceNode and cross-origin media resources

From: Ehsan Akhgari <ehsan.akhgari@gmail.com>
Date: Tue, 23 Jul 2013 10:52:55 -0400
Message-ID: <CANTur_6QAF1ac_xBC5N+4hQf7K0V==EhnEK159Gy62pNX4m2ig@mail.gmail.com>
To: "Robert O'Callahan" <robert@ocallahan.org>
Cc: "public-audio@w3.org" <public-audio@w3.org>
On Tue, Jul 23, 2013 at 12:30 AM, Robert O'Callahan <robert@ocallahan.org>wrote:

> HTML media elements can play media resources from any origin. When an
> element plays a media resource from an origin different from the page's
> origin, we must prevent page script from being able to read the contents of
> the media (e.g. extract video frames or audio samples). In particular we
> should prevent ScriptProcessorNodes from getting access to the media's
> audio samples. We should also information about samples leaking in other
> ways (e.g. timing channel attacks). Currently the Web Audio spec says
> nothing about this.
> Anyone know how Webkit/Blink solves this?
> I think we should solve this by preventing any non-same-origin data from
> entering Web Audio. That will minimize the attack surface and the impact on
> Web Audio.
> My proposal is to make MediaElementAudioSourceNode convert data coming
> from a non-same origin stream to silence.

I like this idea.

Should we also subject this to CORS rules to make it possible for Web Audio
to access media elements coming from other origins?

Received on Tuesday, 23 July 2013 14:54:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:50:10 UTC