[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-07-29 (public-html-bugzilla@w3.org from July 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 29 Jul 2014 00:00:43 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-cMwWpusWla@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

Jerry Smith <jdsmith@microsoft.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jdsmith@microsoft.com

--- Comment #15 from Jerry Smith <jdsmith@microsoft.com> ---
We should also consider intranet use when imposing https as a prerequisite for
using EME.  That situation may clearly not warrant https, and it would make
sense to give companies the option to use http.

The ID exposure originally mentioned as a concern seems well protected already.
 It would require implementing a license server to retrieve and access the ID. 
Further, I believe most DRMs that return this ID already protect as part of the
license message.

Given this, I don't think we should wire EME to fail on http sites, but have no
objection to recommending its use.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 29 July 2014 00:00:44 UTC