[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-08-20 (public-html-bugzilla@w3.org from August 2014)

From: <bugzilla@jessica.w3.org>
Date: Wed, 20 Aug 2014 23:14:59 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-05VvxfZToi@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #46 from Joe Steele <steele@adobe.com> ---
(In reply to Ryan Sleevi from comment #42)
> (In reply to Joe Steele from comment #41)
> > (In reply to Ryan Sleevi from comment #39)
> > > I think you're conflating two things.
> > 
> > What are the two things you think I am conflating?
> 
> "Rogue" CDMs and rogue intermediates.
> 
> I'm not sure I agree with the classification that there even is a "rogue
> CDM" - it's clear from the CDMs already in existence that certain privacy
> properties (or lack) are by-design of the CDM. Ergo, they're behaving
> exactly as that CDM should - but in a way that is detrimental to the user.

When I am referring to "rogue" CDMs, I am specifically referring to CDMs that
could negatively impact user privacy in the ways described by Section 7
"Privacy Considerations". 

It is not clear to me at least that the CDMs that exist today are behaving in a
way that is detrimental to the user. Do you have a specific example in mind?

> The issue is that any intermediate can, for unprotected traffic, inject
> script to use that CDM and report to an arbitrary party those results.
> That's just how the web works.

I agree with you here. But I believe we have locked down the information that a
CDM conforming to the privacy guidelines can provide to such a degree that the
available information for disclosure here is no worse than any web application
using cookies. I don't believe that this type of disclosure is enough reason
for this API to be held to a higher standard for conforming CDMs. 

With regard to non-conforming or "rogue" CDMs, since the UA is in the position
of trust with the user it is up to the UA to make the determination of what
CDM's to include and how to enforce the necessary constraints. If you believe
that "rogue" CDMs should only be loaded on secure domains, I would be ok with
that, but I suspect UAs would just refuse to load any CDMs they consider to be
"rogue".

(In reply to David Dorwin from comment #43)
> (In reply to Joe Steele from comment #41)
> > My point is that we are better off asking UAs to prevent rogue CDMs than
> > requiring UAs to implement security half-measures against what they might
> > do. 
> 
> Reiterating what Ryan said, the concern is not necessarily about "rogue
> CDMS", it is about limiting the damage that is possible when exposing a CDM
> that uses permanent identifiers, is not fully sandboxed, etc.

I would consider a CDM that exposed permanent, non-blinded identifiers to be a
"rogue". However exposing an identifier that is no more privacy damaging than a
cookie does not seem like a concern to me, although some may disagree.
Sandboxing is in the purview of the UA, not the CDM. If the UA is not
sandboxing CDMs and has agreed to load a CDM with known bad behaviors, then I
would expect users that are informed and concerned will avoid that UA.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 20 August 2014 23:15:06 UTC