[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-08-20 (public-html-bugzilla@w3.org from August 2014)

From: <bugzilla@jessica.w3.org>
Date: Wed, 20 Aug 2014 00:13:03 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-8XQOlGFhwq@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #45 from David Dorwin <ddorwin@google.com> ---
(In reply to Mark Watson from comment #44)
> (In reply to David Dorwin from comment #43)
> > (In reply to Mark Watson from comment #40)
> > > (In reply to David Dorwin from comment #36)
> 
> > 
> > Reiterating what Ryan said, the concern is not necessarily about "rogue
> > CDMS", it is about limiting the damage that is possible when exposing a CDM
> > that uses permanent identifiers, is not fully sandboxed, etc.
> 
> So why not apply the restriction only to such CDMs ? Why should the
> restriction apply to CDMs that do not expose permanent identifiers and/or
> are fully sandboxed ?

That is essentially possible option 2 in comment #0. As mentioned there and
elsewhere, I think relying on such judgement calls will fail in practice.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 20 August 2014 00:13:09 UTC