[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-08-21 (public-html-bugzilla@w3.org from August 2014)

From: <bugzilla@jessica.w3.org>
Date: Thu, 21 Aug 2014 22:17:29 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-oyGoF67cCP@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #58 from David Dorwin <ddorwin@google.com> ---
(In reply to Joe Steele from comment #56)
> (In reply to David Dorwin from comment #53)
> > (In reply to Joe Steele from comment #49)
> > > Prompting on a per-site basis may sound good, but the user experience is so
> > > poor around this (partly for the reasons you mention) that I don't see how
> > > it can work. 
> > 
> > I think the number of sites using DRM that a user interacts with is likely
> > to be small. Also, the UX issues can be mitigated. This issue is not unique
> > to EME or even web APIs - native mobile apps also have per-app prompts to
> > give users control.
> 
> You are correct that this is not unique to EME. However in user testing we
> have seen significant falloff in completion rates in using any web
> application that requires a user opt-in to run. I think a normative
> requirement for this type of opt-in prior to using the API will result in
> very low usage of this API. I could be wrong though -- there could be some
> amazing UX out there for this I have not seen. But it is not in Chrome,
> Firefox, Internet Explorer or Opera. 

(I'm interpreting "opt-in" as "prompt", but that may not be what you meant.)
Maybe users don't like what is being requested. In that case, the prompts are
working as intended. (Admittedly, prompts are often ineffective for many users.
That is a general problem that people are actively looking to address.)

I disagree that such a one-time prompt is going to prevent usage of EME by
sites that wish to use DRM on the web platform.

Other APIs that normatively mention permissions appear to cover the permission
request in the algorithm but make it optional in some way. This could also be
motivation to implement/use a more user-friendly solution that does not need
additional permission.

This is off topic, though. Maybe we should open a separate bug to continue
discussion.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Thursday, 21 August 2014 22:17:30 UTC