[Bug 21203] EME leaks information cross-origin

https://www.w3.org/Bugs/Public/show_bug.cgi?id=21203

--- Comment #20 from Adrian Bateman [MSFT] <adrianba@microsoft.com> ---
(In reply to comment #18)
> * The subject for the text beginning with "or use the crossorigin
> attribute..." is "media data". Should the subject be the UA, application,
> author, or something else?

I think I changed this in the modified text.

> * The crossorigin anchor should be "attr-media-crossorigin" instead of
> "attr-img-crossorigin".

Thanks. Fixed.

> * Do we need to address MSE (and XHRs) or is that implicitly (and
> sufficiently) addressed by crossorigin?

I don't think we need to do anything explicit in EME. In MSE we directly state
how to find the origin from the Origin of Blob URIs defined in the File API and
I believe everything flows end-to-end.

> * Did step 5 of section 4.2 need to be changed? We don't fire an event, so
> origin seems irrelevant.

That's a good question. Perhaps we can't get to this point if the media data is
not already CORS same origin?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 27 August 2013 18:30:55 UTC