[Bug 21203] EME leaks information cross-origin

https://www.w3.org/Bugs/Public/show_bug.cgi?id=21203

--- Comment #26 from Joe Steele <steele@adobe.com> ---
(In reply to David Dorwin from comment #25)
> The application provides the initData, which contains the defaultURL (if
> any), and the application will send the keymessage to the server (either its
> own or the one specified by defaultURL). Ultimately, it is the application
> that is sending the information, which it already had access to, and normal
> CORS rules should apply, right?

The defaultURL is provided by the CDM. It may or may not have any direct
relationship to the initData. However I see your point -- any information sent
by the application is subject to CORS restrictions anyway. It makes sense to
remove that text.

I would also change step 2. of the procedure to say that the CDM provides the
defaultURL based on the initData and leave it at that. Since the initData is
CDM specific that is about all you can say.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Monday, 28 October 2013 18:19:03 UTC