[encrypted-media] Security: Should implementations be required to inform users in cases where this is currently recommended? from ddorwin via GitHub on 2016-09-07 (public-html-media@w3.org from September 2016)

From: ddorwin via GitHub <sysbot+gh@w3.org>
Date: Wed, 07 Sep 2016 23:39:19 +0000
To: public-html-media@w3.org
Message-ID: <issues.opened-175631924-1473291557-sysbot+gh@w3.org>

ddorwin has just created a new issue for 
https://github.com/w3c/encrypted-media:

== Security: Should implementations be required to inform users in 
cases where this is currently recommended? ==
The following are from the current Security section:

https://w3c.github.io/encrypted-media/#cdm-security:
>If a user agent chooses to support a Key System implementation that 
cannot be sufficiently sandboxed or otherwise secured, the user agent 
SHOULD ensure that users are fully informed and/or give explicit 
consent before loading or invoking it.

https://w3c.github.io/encrypted-media/#security-prompts:
>User agents SHOULD ensure that users are fully informed and/or give 
explicit consent before a Key System that presents security concerns 
that are greater than other user agent features (e.g. DOM content) may
 be accessed by an origin.


In cases where there are such concerns, should the spec _require_ 
(`MUST`) fully informing the user? This _might_ address some of the 
concerns in #304 and related discussion (i.e. in [this 
thread](https://lists.w3.org/Archives/Public/public-html-media/2016Sep/thread.html#msg3)).



Please view or discuss this issue at 
https://github.com/w3c/encrypted-media/issues/312 using your GitHub 
account

Received on Wednesday, 7 September 2016 23:39:33 UTC