W3C home > Mailing lists > Public > public-html-media@w3.org > March 2013

[Bug 21203] New: EME leaks information cross-origin

From: <bugzilla@jessica.w3.org>
Date: Wed, 06 Mar 2013 09:21:38 +0000
To: public-html-media@w3.org
Message-ID: <bug-21203-5436@http.www.w3.org/Bugs/Public/>

            Bug ID: 21203
           Summary: EME leaks information cross-origin
    Classification: Unclassified
           Product: HTML WG
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Encrypted Media Extensions
          Assignee: adrianba@microsoft.com
          Reporter: hsivonen@iki.fi
        QA Contact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-media@w3.org

Netflix-style services need to be able to load the media file from a CDN, which
implies that the case where the media file is different-origin with the
document that hosts the media element has to work. However, the spec fails to
cover how the same-origin policy applies in this case.

The API exposes the initialization data and key IDs from the media file to the
origin of the media element.

The spec should:
 1) Explicitly document what information gets exposed cross-origin.
 2) Either:
   a) Explain why exposing that information cross-origin is harmless
considering the threats that the same-origin policy generally defends against.
   b) Make the cross-origin case not work by default and explain how CORS can
be used to make it work.

You are receiving this mail because:
You are on the CC list for the bug.
Received on Wednesday, 6 March 2013 09:21:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:58 UTC