- From: <bugzilla@jessica.w3.org>
- Date: Wed, 15 Oct 2014 21:22:52 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332 --- Comment #83 from Bob Lund <b.lund@cablelabs.com> --- (In reply to David Dorwin from comment #82) > Unless or until EME normatively requires identifier protection, clearability > of identifiers, sandboxing of CDMs, and/or other solutions/mitigations*, we > are in a situation where some implementations will be deeply concerning in > the areas of privacy and security. The TAG has expressed concern about the > security and privacy implications of CDMs, especially on non-secure origins > [1]. > > That leaves us in the situation I described in comment #0: although some > implementations may address or mitigate the issues, others will not. The > only way to ensure implementations do the right thing *without fragmenting > the web platform* is to require secure origins for all implementations. Wouldn't another alternative be a normative requirement that requests from CDM are encrypted? > > The remaining question is how to facilitate a smooth transition by content > providers that use MSE and thus cannot use mixed content in many user agents. > > * Even some mitigations, such as user permissions, are exploitable when > using HTTP origins. > > [1]: > https://github.com/w3ctag/spec-reviews/blob/master/2014/10/eme.md#user- > facing-concerns -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Wednesday, 15 October 2014 21:22:54 UTC