[Bug 21203] EME leaks information cross-origin from bugzilla@jessica.w3.org on 2013-06-05 (public-html-bugzilla@w3.org from June 2013)

From: <bugzilla@jessica.w3.org>
Date: Wed, 05 Jun 2013 11:11:45 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-21203-2486-PVzmdqT2pu@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=21203

--- Comment #16 from Henri Sivonen <hsivonen@iki.fi> ---
Thanks. The "or use the crossorigin…" bit at
https://dvcs.w3.org/hg/html-media/rev/69dbfb8baca8#l1.19 is confused, though. A
CORS-enabled fetch labels the obtained resource as CORS-same-origin or
CORS-cross-origin, so using the crossorigin attribute is part of making a
cross-origin resource CORS-same-origin. 

I suggest replacing " or use the crossorigin attribute on the media element and
CORS headers on the media data response to authorize cross-origin information
exposure." with ". If media data is cross-origin with the embedding document,
use the crossorigin attribute on the media element and CORS headers on the
media data response to make it CORS-same-origin."

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 5 June 2013 11:11:51 UTC