[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-08-19 (public-html-bugzilla@w3.org from August 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 19 Aug 2014 17:58:09 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-NXYcIS1joL@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #28 from Mark Watson <watsonm@netflix.com> ---
I would have no objection to a requirement that arbitrary non-sandboxed
user-installable CDMs may only be installed with user consent and from a secure
origin. That makes complete sense, because the UA has no idea what that thing
is and the user needs to know who they are being asked to trust.

But if the UA is fully aware of the CDM properties and/or aware of the
properties of the sandbox, if the CDM is integrated in the UA (not downloaded
by the site) then it is the UA, not the site, that the user is being asked to
trust and the situation is very different.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 19 August 2014 17:58:10 UTC