[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-08-19 (public-html-bugzilla@w3.org from August 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 19 Aug 2014 23:19:41 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-DSIBjKPgOF@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #43 from David Dorwin <ddorwin@google.com> ---
(In reply to Mark Watson from comment #40)
> (In reply to David Dorwin from comment #36)
> > 
> > 
> > Much of the discussion has focused on identities, but there are other
> > concerns as well. For example, DRM implementations, especially those
> > provided by the platform, are often unsandboxed. This means that such CDMs
> > could access anything on the system and it are particularly dangerous
> > because they run outside the sandbox. Given these risks and the unique
> > nature of EME/CDMs compared to other web APIS, it makes sense that such
> > risks should be restricted to authenticated domains.
> 
> Why is a platform CDM API any different from any other platform API in this
> respect ?

The data that is extracted is opaque and sent to the application without any
ability for the user agent to verify its contents (vs. location coordinates
from a geolocation API, for example). CDMs are also generally more likely to be
non-inspectable.

As one example, I believe some user agents validate WebGL commands before
passing them to the GPU.

Many web APIs that expose platform functionality also normatively consider user
authorization. This includes getUserMedia() and Web MIDI. There is also regret
by some that the geolocation API was not restricted to secure origins "before
it became too late."

> > Other potential mitigations to these risks (i.e. prompt the user) are also
> > non-normative, so we cannot rely on those. Even if we made user prompts
> > normative, the benefit is minimized if non-secure origins are supported (see
> > [1] in comment #0).
> 
> There are many examples where UA implementors - and everyone else - agree
> that a user prompt is necessary but no such prompt is normatively required
> by W3C specifications. We don't generally specify such UI issues, 

Counterexamples: getUserMedia() and Web MIDI

> but that
> does not mean that we should behave as if they do not exist and adopt
> unnecessary restrictions as a result.

As I said (and Ryan expands on in comment #42), prompts are insufficient on
non-secure origins.

(In reply to Joe Steele from comment #41)
> My point is that we are better off asking UAs to prevent rogue CDMs than
> requiring UAs to implement security half-measures against what they might
> do. 

Reiterating what Ryan said, the concern is not necessarily about "rogue CDMS",
it is about limiting the damage that is possible when exposing a CDM that uses
permanent identifiers, is not fully sandboxed, etc.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 19 August 2014 23:19:43 UTC