W3C home > Mailing lists > Public > public-html-media@w3.org > November 2013

Re: ACTION-40: Propose text for bug 17202 to propose how to share keys without leakage of information

From: Joe Steele <steele@adobe.com>
Date: Wed, 13 Nov 2013 18:30:21 -0800
To: David Dorwin <ddorwin@google.com>
CC: Mark Watson <watsonm@netflix.com>, Henri Sivonen <hsivonen@hsivonen.fi>, "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <708FC6DE-22B1-4D5A-B04D-21844BCE3A6F@adobe.com>
If I have the same player open in two different tabs (or twice on the same tab), viewing two different videos which share a network key, then the underlying CDM *may* be able to share the live key context between the player instances and not have to open a second identical key context. The mechanisms for recognizing whether keys can be shared and which keys can be shared is would be CDM dependent. It could apply to any key I think, although it only seems useful to me for keys from which other keys are chained (like domains). 

This would *not* be sharing across domains, but as you suggested that is probably a small enough edge case that it is not worth adding to the spec at this point. 

Joe Steele
steele@adobe.com

On Nov 13, 2013, at 6:16 PM, David Dorwin <ddorwin@google.com> wrote:

> 
> 
> On Thursday, November 14, 2013, Joe Steele wrote:
> I was making that change at the API level to raise its visibility. It could be exposed simply between the UA and the CDM, but it still needs to be documented in the specification. My fear was that if this was not an explicit part of the spec, browser vendors will not bother to include it.
> 
> However   David pointed out a simpler solution for the main use case I was concerned about where framing the video player is an option. I am willing to drop this. True sharing between different domains is probably an edge case not worth optimizing for. 
> 
> For those types of sites, persistent keys will not need to be shared across domains and live keys can be shared invisibly by the CDM without any privacy concerns. 
> 
> I'm not sure I understand this lat part. Can you explain what you mean by "live keys can be shared"? (Keys from one origin or multiple? How does the CDM know to share them? Does this only apply to "domain-like" keys?)
> Joe Steele
> steele@adobe.com
> 
> On Nov 13, 2013, at 5:38 PM, Mark Watson <watsonm@netflix.com> wrote:
> 
>> 
>> 
>> 
>> On Thu, Nov 14, 2013 at 9:30 AM, Joe Steele <steele@adobe.com> wrote:
>> I am not arguing for any non-CORS web sharing. I *am* arguing that the CDM should know what the CORS relationships are before it attempts sharing keys. 
>> I am trying to define a mechanism for informing the CDM of those CORS relationships.
>> 
>> Isn't that just between the UA and the CDM. How does it impact our API ?
>> 
>>  
>> 
>> Joe Steele
>> steele@adobe.com
>> 
>> On Nov 13, 2013, at 12:47 AM, Mark Watson <watsonm@netflix.com> wrote:
>> 
>>> I can't claim I have followed all of this thread, but surely we are best off at this stage simply saying that CDMs must follow the same origin policy with respect to shared data (including CORS-same-origin). IIUC, WebApps is looking at the more general problem of resources which are shared across origins which are not CORS-same-origin.
>>> 
>>> ...Mark
>>> 
>>> 
>>> On Wed, Nov 13, 2013 at 4:18 PM, David Dorwin <ddorwin@google.com> wrote:
>>> 
>>> 
>>> 
>>> On Wed, Nov 13, 2013 at 2:28 PM, Joe Steele <steele@adobe.com> wrote:
>>> Replies inline  
>>> 
>>> Joe Steele
>>> steele@adobe.com
>>> 
>>> On Nov 11, 2013, at 10:52 PM, David Dorwin <ddorwin@google.com> wrote:
>>> 
>>>> Is there a way to solve this by running scripts from multiple domains and using the normal CORS rules for applications?
>>>> 
>>>> Specifi



Received on Thursday, 14 November 2013 02:30:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:33:01 UTC