- From: <bugzilla@jessica.w3.org>
- Date: Wed, 17 Sep 2014 19:51:37 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26838 --- Comment #1 from David Dorwin <ddorwin@google.com> --- Potential mitigations: 1) Treat Optionally-blockable [mixed] Content media data as not CORS-same-origin for the purposes of determining ([2] above) whether to provide initData in the "encrypted" event. 2) Update the generateRequest() algorithm to have the user agent validate and/or sanitize (possibly by pre-parsing and sanitizing) the |initData| and pass a verified/sanitized version to the CDM. I think #1 is reasonable (regardless of the outcome of bug 26332). This simply brings .src= media data to the same level as MSE media data. The Optionally-blockable Content category only exists to avoid breaking existing web pages, which is not a concern for EME. As noted above, this addresses (network-based) attacks #13, #14, and #15 in [3] above. #2 is consistent with the security considerations in [1] above and good practices for passing "user data" across security boundaries. As noted in [3] above, this is "[analogous] to browsers validating WebGL shaders before passing them to a shader compiler whose bugs aren't under the control of the browser vendor." -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Wednesday, 17 September 2014 19:51:41 UTC