On Tue, Feb 28, 2012 at 10:57 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Wed, 29 Feb 2012, Kornel LesiÅ~Dski wrote:>
> > How about defining a new scheme which includes the key in the URL?
> >
> > Example modeled on "password" part of HTTP URLs:
> >
> > myVideo.src = 'http+aes://' + escape(mykey) + ':@
> cdn.example.net/video123';
> >
> > Although not so pretty, it would readily work in all places where URLs
> > do, including HTML markup.
>
> I can't see any problem with this off the top of my head. It neatly solves
> the problem for every content type, not just HTML, which is great for
> dealing with the manifest cases Mark mentioned.
>
> Would we want to also support this over https? I suppose it's possible
> that we'd have a situation where we trusted a CDN to know the URL that a
> user was requesting but still wanted to protect the user from his network
> peers knowing what URL he was getting...
>
> Anyone want to write a spec for this?
>
I've now specced this:
http://html5.org/tools/web-apps-tracker?from=7011&to=7012
http://www.whatwg.org/specs/web-apps/current-work/#http+aes-scheme
If anyone would like to edit a spec of this that's independent of the HTML
spec, let me know, I'd be happy to move this to another spec.
--
Ian Hickson