Re: [web-audio-api testing] Best way of testing an AudioNode output from Amitay Dobo on 2013-10-31 (public-audio@w3.org from October to December 2013)

From: Amitay Dobo <amitayd@gmail.com>
Date: Fri, 1 Nov 2013 00:45:22 +0200
To: Amitay Dobo <amitayd@gmail.com>, Chris Lowis <chris.lowis@gmail.com>, public-audio@w3.org
Message-ID: <CAEPUYsrtUbt-PK9XjoiaM6ws5XpsX46z8n-V9ajEMe+bZc5e1Q@mail.gmail.com>

Thanks for the explanation, it does make it clearer. Also MDN's explanation
at
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
states
a general policy of allow cross origin embedding of objects, but deny
reading, which seem to apply to this case.

I'll look into reporting a security issue to Chromium/webkit.



On Thu, Oct 31, 2013 at 9:06 PM, Karl Tomlinson <
karlt+public-audio@karlt.net> wrote:

> Amitay Dobo writes:
>
> > 2) Noticed while testing that Mozilla Firefox (27 nightly) does not send
> > any output from a MediaAudioElementSource when the audio source is not
> from
> > the same origin (i.e. different domain). Is this by any way a correct
> > behavior?
>
> Consider a page from an untrusted server using the browser to
> request an audio source from inside the browser's intranet.
>
> The page cannot be permitted to know of the contents of the audio,
> nor whether the audio file exists on the intranet, unless the
> server on the intranet explicitly allows this.
>
> That requirement makes it very difficult to make
> MediaAudioElementSource work at all for cross-origin sources that
> don't grant this permission.
>

Received on Thursday, 31 October 2013 22:45:50 UTC