[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS)

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #45 from David Dorwin <ddorwin@google.com> ---
(In reply to Mark Watson from comment #44)
> (In reply to David Dorwin from comment #43)
> > (In reply to Mark Watson from comment #40)
> > > (In reply to David Dorwin from comment #36)
> 
> > 
> > Reiterating what Ryan said, the concern is not necessarily about "rogue
> > CDMS", it is about limiting the damage that is possible when exposing a CDM
> > that uses permanent identifiers, is not fully sandboxed, etc.
> 
> So why not apply the restriction only to such CDMs ? Why should the
> restriction apply to CDMs that do not expose permanent identifiers and/or
> are fully sandboxed ?

That is essentially possible option 2 in comment #0. As mentioned there and
elsewhere, I think relying on such judgement calls will fail in practice.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 20 August 2014 00:13:09 UTC