[Bug 21203] New: EME leaks information cross-origin from bugzilla@jessica.w3.org on 2013-03-06 (public-html-bugzilla@w3.org from March 2013)

From: <bugzilla@jessica.w3.org>
Date: Wed, 06 Mar 2013 09:21:38 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-21203-2486@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=21203

            Bug ID: 21203
           Summary: EME leaks information cross-origin
    Classification: Unclassified
           Product: HTML WG
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Encrypted Media Extensions
          Assignee: adrianba@microsoft.com
          Reporter: hsivonen@iki.fi
        QA Contact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-media@w3.org

Netflix-style services need to be able to load the media file from a CDN, which
implies that the case where the media file is different-origin with the
document that hosts the media element has to work. However, the spec fails to
cover how the same-origin policy applies in this case.

The API exposes the initialization data and key IDs from the media file to the
origin of the media element.

The spec should:
 1) Explicitly document what information gets exposed cross-origin.
AND
 2) Either:
   a) Explain why exposing that information cross-origin is harmless
considering the threats that the same-origin policy generally defends against.
OR
   b) Make the cross-origin case not work by default and explain how CORS can
be used to make it work.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 6 March 2013 09:21:40 UTC