[Bug 25920] Remove extraction of default URL from createSession() algorithm

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25920

David Dorwin <ddorwin@google.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #9 from David Dorwin <ddorwin@google.com> ---
Summarizing my comments from the telecon and other conversations:

For other platforms, providing URLs in PSSH boxes allowed a license server URL
to be provided to the media/DRM engine, which was responsible for acquiring the
license. This is not necessary in EME where the application acquires the
license, and most applications will know the license server URL a priori. Also,
it seems that standalone media files will be less common as the industry moves
to adaptive streaming and manifests (i.e. MSE and DASH).

Extracting instructions for an application from random media files on the
Internet is inconsistent with good web practices and definitely not something
UAs should do. As currently specified, the user agent/CDM is presenting the
application with "instructions", which some applications are likely to follow,
that were likely extracted from untrusted media data from unknown sources.
Although applications can be implemented in a way that such data is trusted,
the spec and UA cannot assume this. The spec currently defines
unsafe-by-default behavior, and I think it's inappropriate to leave it that
way.

Note that "content federation" - the scenario where default URL might be most
useful with EME - is one in which the content streams are more likely to be
untrusted (vs. a standalone content provider).

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 8 July 2014 21:06:40 UTC