Re: MediaElementAudioSourceNode and cross-origin media resources from Ehsan Akhgari on 2013-07-23 (public-audio@w3.org from July to September 2013)

From: Ehsan Akhgari <ehsan.akhgari@gmail.com>
Date: Tue, 23 Jul 2013 10:52:55 -0400
To: "Robert O'Callahan" <robert@ocallahan.org>
Cc: "public-audio@w3.org" <public-audio@w3.org>
Message-ID: <CANTur_6QAF1ac_xBC5N+4hQf7K0V==EhnEK159Gy62pNX4m2ig@mail.gmail.com>

On Tue, Jul 23, 2013 at 12:30 AM, Robert O'Callahan <robert@ocallahan.org>wrote:

> HTML media elements can play media resources from any origin. When an
> element plays a media resource from an origin different from the page's
> origin, we must prevent page script from being able to read the contents of
> the media (e.g. extract video frames or audio samples). In particular we
> should prevent ScriptProcessorNodes from getting access to the media's
> audio samples. We should also information about samples leaking in other
> ways (e.g. timing channel attacks). Currently the Web Audio spec says
> nothing about this.
>
> Anyone know how Webkit/Blink solves this?
>
> I think we should solve this by preventing any non-same-origin data from
> entering Web Audio. That will minimize the attack surface and the impact on
> Web Audio.
>
> My proposal is to make MediaElementAudioSourceNode convert data coming
> from a non-same origin stream to silence.
>

I like this idea.

Should we also subject this to CORS rules to make it possible for Web Audio
to access media elements coming from other origins?

--
Ehsan
<http://ehsanakhgari.org/>

Received on Tuesday, 23 July 2013 14:54:03 UTC