- From: <bugzilla@jessica.w3.org>
- Date: Thu, 16 Oct 2014 00:42:45 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332 --- Comment #86 from Mark Watson <watsonm@netflix.com> --- This thread, the TAG opinion and David's comment#82 all reflect the fact that there are multiple ways to address the privacy and security risks that have been raised. We could add additional normative requirements to the specification, though this requires some discussion and may not solve all problems. We could require secure origins, though this also requires some discussion - including of the mixed content problem - and still may not solve all problems. There may also be some middle ground, where a secure origin is required conditionally, depending on the properties of the CDM. In practice, in many cases, the CDM and UA implementors together can address the issues raised here without secure origins. In these cases they should not be forced to anyway require a secure origin, given the high cost of such a requirement on content providers. We could even simply strengthen our security requirements by enumerating the issues and mitigations (including but not limited to secure origins) and requiring that implementations MUST address these: this would already be more than the rest of the web platform - any implementation could have buffer overrun vulnerabilities, for example, and we do not specify how browsers should address this security aspect - we just assume that they do. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Thursday, 16 October 2014 00:42:47 UTC