Netflix, MSE, and EME from Anne van Kesteren on 2014-11-14 (public-webappsec@w3.org from November 2014)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 14 Nov 2014 23:49:27 +0100
To: Henri Sivonen <hsivonen@hsivonen.fi>, Mark Watson <watsonm@netflix.com>, David Dorwin <ddorwin@google.com>, Mike West <mkwst@google.com>, Jake Archibald <jaffathecake@gmail.com>, "public-html-media@w3.org" <public-html-media@w3.org>, WebAppSec WG <public-webappsec@w3.org>, Ryan Sleevi <sleevi@google.com>
Message-ID: <CADnb78ikCJFg1fkQ-NwS7fRDyAk7TajJziVmZ6RPtwQUCjmfEg@mail.gmail.com>

Here are some presumed facts:

* Service workers require TLS.
* Since we do not want service workers to affect legacy mixed content,
fetch() with mode /no CORS/ can still fetch non-TLS content. The
response to this is an opaque blob. (I don't like this, but Jake tells
me this is how Chrome will do it.)
* Netflix does not care about reading the contents of a response, it
just wants to feed it into <video>.

Given this, if we enable MSE to work with opaque responses, EME can
require TLS, and Netflix can use TLS, while still not using it for
MSE.


-- 
https://annevankesteren.nl/

Received on Friday, 14 November 2014 22:49:56 UTC