- From: <bugzilla@jessica.w3.org>
- Date: Wed, 15 Oct 2014 20:51:49 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332 --- Comment #82 from David Dorwin <ddorwin@google.com> --- Unless or until EME normatively requires identifier protection, clearability of identifiers, sandboxing of CDMs, and/or other solutions/mitigations*, we are in a situation where some implementations will be deeply concerning in the areas of privacy and security. The TAG has expressed concern about the security and privacy implications of CDMs, especially on non-secure origins [1]. That leaves us in the situation I described in comment #0: although some implementations may address or mitigate the issues, others will not. The only way to ensure implementations do the right thing *without fragmenting the web platform* is to require secure origins for all implementations. The remaining question is how to facilitate a smooth transition by content providers that use MSE and thus cannot use mixed content in many user agents. * Even some mitigations, such as user permissions, are exploitable when using HTTP origins. [1]: https://github.com/w3ctag/spec-reviews/blob/master/2014/10/eme.md#user-facing-concerns -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Wednesday, 15 October 2014 20:51:50 UTC