[encrypted-media] Require explicit enabling of EME in nested contexts from ddorwin via GitHub on 2016-11-24 (public-html-media@w3.org from November 2016)

From: ddorwin via GitHub <sysbot+gh@w3.org>
Date: Thu, 24 Nov 2016 01:14:22 +0000
To: public-html-media@w3.org
Message-ID: <issues.opened-191413019-1479950060-sysbot+gh@w3.org>

ddorwin has just created a new issue for 
https://github.com/w3c/encrypted-media:

== Require explicit enabling of EME in nested contexts ==
Nested contexts/iframes should only be able to access EME if the 
embedding app explicitly enables it. The reasons are similar to other 
features that [will] have such limitations. Specifically, this helps 
mitigate many security and privacy concerns, especially where the 
top-level context is not complicit. This includes some of the concerns
 in #101.

[Feature Policy](https://github.com/wicg/feature-policy/) appears to 
be the way forward for these purposes.

The default policies would be:
* Enable: `self` for top-level browsing context, and `null` for nested
 browsing context
* Disable: `null`

The changes to the EME spec itself would likely be similar to those 
[proposed for Web 
MIDI](https://github.com/WICG/feature-policy/issues/2). Basically, the
 promise returned by `requestMediaKeySystemAccess()` would be rejected
 with `SecurityError` if EME is disabled.

Please view or discuss this issue at 
https://github.com/w3c/encrypted-media/issues/364 using your GitHub 
account

Received on Thursday, 24 November 2016 01:14:28 UTC