Re: ACTION-40: Propose text for bug 17202 to propose how to share keys without leakage of information from David Dorwin on 2013-11-14 (public-html-media@w3.org from November 2013)

From: David Dorwin <ddorwin@google.com>
Date: Thu, 14 Nov 2013 10:16:17 +0800
To: Joe Steele <steele@adobe.com>
Cc: Mark Watson <watsonm@netflix.com>, Henri Sivonen <hsivonen@hsivonen.fi>, "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <CAHD2rsgHt==yZQtE49hmM7MMtU0ZSPyC_1dqkGp7-G1deH6_0w@mail.gmail.com>

On Thursday, November 14, 2013, Joe Steele wrote:

> I was making that change at the API level to raise its visibility. It
> could be exposed simply between the UA and the CDM, but it still needs to
> be documented in the specification. My fear was that if this was not an
> explicit part of the spec, browser vendors will not bother to include it.
>
> *However …  *David pointed out a simpler solution for the main use case I
> was concerned about where framing the video player is an option. I am
> willing to drop this. True sharing between different domains is probably an
> edge case not worth optimizing for.
>
> For those types of sites, persistent keys will not need to be shared
> across domains and live keys can be shared invisibly by the CDM without any
> privacy concerns.
>

I'm not sure I understand this lat part. Can you explain what you mean by
"live keys can be shared"? (Keys from one origin or multiple? How does the
CDM know to share them? Does this only apply to "domain-like" keys?)

> Joe Steele
> steele@adobe.com <javascript:_e({}, 'cvml', 'steele@adobe.com');>
>
> On Nov 13, 2013, at 5:38 PM, Mark Watson <watsonm@netflix.com> wrote:
>
>
>
>
> On Thu, Nov 14, 2013 at 9:30 AM, Joe Steele <steele@adobe.com> wrote:
>
> I am not arguing for any non-CORS web sharing. I *am* arguing that the CDM
> should know what the CORS relationships are before it attempts sharing
> keys.
> I am trying to define a mechanism for informing the CDM of those CORS
> relationships.
>
>
> Isn't that just between the UA and the CDM. How does it impact our API ?
>
>
>
>
> Joe Steele
>  steele@adobe.com
>
> On Nov 13, 2013, at 12:47 AM, Mark Watson <watsonm@netflix.com> wrote:
>
> I can't claim I have followed all of this thread, but surely we are best
> off at this stage simply saying that CDMs must follow the same origin
> policy with respect to shared data (including CORS-same-origin). IIUC,
> WebApps is looking at the more general problem of resources which are
> shared across origins which are not CORS-same-origin.
>
> ...Mark
>
>
> On Wed, Nov 13, 2013 at 4:18 PM, David Dorwin <ddorwin@google.com> wrote:
>
>
>
>
> On Wed, Nov 13, 2013 at 2:28 PM, Joe Steele <steele@adobe.com> wrote:
>
> Replies inline —
>
>  Joe Steele
> steele@adobe.com
>
> On Nov 11, 2013, at 10:52 PM, David Dorwin <ddorwin@google.com> wrote:
>
> Is there a way to solve this by running scripts from multiple domains and
> using the normal CORS rules for applications?
>
> Specifi
>
>

Received on Thursday, 14 November 2013 02:16:45 UTC