[Bug 21203] EME leaks information cross-origin

https://www.w3.org/Bugs/Public/show_bug.cgi?id=21203

Joe Steele <steele@adobe.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |steele@adobe.com

--- Comment #9 from Joe Steele <steele@adobe.com> ---
> Add a non-normative section under introduction saying that EME exposes
> information from the embedded media data to the embedding origin, so in
> order for the API to fire keymessage and keyneeded events, media data needs
> to be same-origin with the embedding page or use the crossorigin attribute
> on the media element and CORS headers on the media data response to
> authorize cross-origin information exposure.

I want to make sure I understand which origins you are concerned about. There
are at least three domains (possibly more) that we are talking about here.

* The application domain
* The media data domain
* The key server domain(s)

Are you looking for CORS compliance across all these domains?

If so -- this runs into a problem I have brought up previously, namely that the
application may not know ahead of time what key server domain(s) will be
contacted. Can we exclude the key server domain(s) from this discussion?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Friday, 8 March 2013 21:38:23 UTC