On Tue, Jul 23, 2013 at 7:52 AM, Ehsan Akhgari <ehsan.akhgari@gmail.com>wrote:
> On Tue, Jul 23, 2013 at 12:30 AM, Robert O'Callahan <robert@ocallahan.org>wrote:
>
>> HTML media elements can play media resources from any origin. When an
>> element plays a media resource from an origin different from the page's
>> origin, we must prevent page script from being able to read the contents of
>> the media (e.g. extract video frames or audio samples). In particular we
>> should prevent ScriptProcessorNodes from getting access to the media's
>> audio samples. We should also information about samples leaking in other
>> ways (e.g. timing channel attacks). Currently the Web Audio spec says
>> nothing about this.
>>
>> Anyone know how Webkit/Blink solves this?
>>
>> I think we should solve this by preventing any non-same-origin data from
>> entering Web Audio. That will minimize the attack surface and the impact on
>> Web Audio.
>>
>> My proposal is to make MediaElementAudioSourceNode convert data coming
>> from a non-same origin stream to silence.
>>
>
> I like this idea.
>
> Should we also subject this to CORS rules to make it possible for Web
> Audio to access media elements coming from other origins?
>
seems reasonable
>
> --
> Ehsan
> <http://ehsanakhgari.org/>
>
>