- From: <bugzilla@jessica.w3.org>
- Date: Thu, 07 Mar 2013 09:40:22 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=21203 --- Comment #6 from Henri Sivonen <hsivonen@iki.fi> --- (In reply to comment #5) > Ok, it sounds to me like the exposure of initialization data and key ids is > similar to exposure of text cues (they could contain arbitrary information). OK. > Can we just cut&paste or refer to text from the Media Element specification ? I suggest doing the following spec edits instead of cutting and pasting: Under 5. Algorithms under 5.1 Encrypted Block Encountered under step 7. Key Presence change the case "If there is an event handler for needkey" to "If there is an event handler for needkey and media data is CORS-same-origin". Under 5.2. Potentially Encrypted Stream Encountered change step 6. Need Key to have a <dl class="switch"> where the first entry is labeled "If media data is CORS-same-origin" and the current text there and the second entry is "Otherwise": "Abort media element's resource fetch algorithm and run the steps to report a MEDIA_ERR_ENCRYPTED error." Under the steps for createSession, alter substep 2 or outer step 6 so that the "Otherwise" branch (the one that fires MediaKeyError and aborts) is taken if the media data is not CORS-same-origin. Under the steps for update(key), alter step 6 to jump to step 8 if next message is not null but media data is not CORS-same-origin. Add a non-normative section under introduction saying that EME exposes information from the embedded media data to the embedding origin, so in order for the API to fire keymessage and keyneeded events, media data needs to be same-origin with the embedding page or use the crossorigin attribute on the media element and CORS headers on the media data response to authorize cross-origin information exposure. Where "media data" in all cases is linked to http://www.whatwg.org/specs/web-apps/current-work/multipage/the-video-element.html#media-data -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Thursday, 7 March 2013 09:40:23 UTC