W3C home > Mailing lists > Public > public-audio@w3.org > July to September 2013

Re: MediaElementAudioSourceNode and cross-origin media resources

From: Chris Rogers <crogers@google.com>
Date: Tue, 23 Jul 2013 11:19:28 -0700
Message-ID: <CA+EzO0=O44VtTEM9dqmhc9GcY_CeNo_7z7z8c-yto-qpkpV5bw@mail.gmail.com>
To: Ehsan Akhgari <ehsan.akhgari@gmail.com>
Cc: "Robert O'Callahan" <robert@ocallahan.org>, "public-audio@w3.org" <public-audio@w3.org>
On Tue, Jul 23, 2013 at 7:52 AM, Ehsan Akhgari <ehsan.akhgari@gmail.com>wrote:

> On Tue, Jul 23, 2013 at 12:30 AM, Robert O'Callahan <robert@ocallahan.org>wrote:
>
>> HTML media elements can play media resources from any origin. When an
>> element plays a media resource from an origin different from the page's
>> origin, we must prevent page script from being able to read the contents of
>> the media (e.g. extract video frames or audio samples). In particular we
>> should prevent ScriptProcessorNodes from getting access to the media's
>> audio samples. We should also information about samples leaking in other
>> ways (e.g. timing channel attacks). Currently the Web Audio spec says
>> nothing about this.
>>
>> Anyone know how Webkit/Blink solves this?
>>
>> I think we should solve this by preventing any non-same-origin data from
>> entering Web Audio. That will minimize the attack surface and the impact on
>> Web Audio.
>>
>> My proposal is to make MediaElementAudioSourceNode convert data coming
>> from a non-same origin stream to silence.
>>
>
> I like this idea.
>
> Should we also subject this to CORS rules to make it possible for Web
> Audio to access media elements coming from other origins?
>

seems reasonable


>
> --
> Ehsan
> <http://ehsanakhgari.org/>
>
>
Received on Tuesday, 23 July 2013 18:19:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:50:10 UTC