RE: [EME] Mitigating the impact of HTTPS on content providers from Jerry Smith (WINDOWS) on 2014-10-24 (public-html-media@w3.org from October 2014)

From: Jerry Smith (WINDOWS) <jdsmith@microsoft.com>
Date: Fri, 24 Oct 2014 22:37:39 +0000
To: David Dorwin <ddorwin@google.com>, "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <62aeefd7b8ac414ba8a75a409ffe1d9b@BY2PR03MB041.namprd03.prod.outlook.com>

We believe that Intranets should not be mandated to run https.  Perhaps we should consider an exclusion for it.

Implicit in temporarily allowing mixed MSE content Is an assumption that performance concerns (raised previously) can be resolved and the temporary exception can expire.  Is there a rationale that suggests the performance issues will be overcome anytime soon?

Jerry

From: David Dorwin [mailto:ddorwin@google.com]
Sent: Friday, October 24, 2014 9:54 AM
To: public-html-media@w3.org
Subject: [EME] Mitigating the impact of HTTPS on content providers

The main objection to requiring secure origins for some or all key systems seems to be the impact this would have on content providers using MSE - mixed content restrictions would require them to also serve the encrypted media streams from a secure origin. While there is still some debate as to the actual impact, I'd like to start a brainstorm and discussion of ideas on how we might reduce the (immediate) impact on content providers while enabling user agents to require secure origins (in a reasonable timeframe).

Here are some ideas to start the brainstorming. (I don't necessarily support any of them at this point.)

  1.  Define a flag day by which HTTPS must be supported/required.

     *   See http://lists.w3.org/Archives/Public/www-tag/2014Oct/0100.html.

     *   There might be some sort of timeline / phased-in transition.

        *   For example, ramping up the amount of HTTPS traffic.

  1.  Temporarily allow Mixed Content XHRs to be provided to MSE when EME is in use.

     *   Non-secure XHR responses passed to MSE would temporarily be considered Optionally-blockable Content like normal video.src content.
     *   Given a choice, securing EME is probably more important than preventing use of mixed content with MSE. (The alternative seems to be that none of the bytes are secure.)
     *   We would need to consider the security implications.
     *   This exception would be eventually be phased out as in #1.
     *   I'm not sure how practical this would be for implementions.

  1.  Establish an informal flag day, such as an agreement among major browser vendors and/or content providers.

     *   The goal would be to prevent content providers from segmenting the platform by refusing to support user agents that choose to require HTTPS. (See the second to last paragraph in http://lists.w3.org/Archives/Public/www-tag/2014Oct/0096.html.)

David

Received on Friday, 24 October 2014 22:38:09 UTC