[Bug 24082] Several issues discussed in the TF point to the need for defined extensibility points in EME from bugzilla@jessica.w3.org on 2014-10-16 (public-html-bugzilla@w3.org from October 2014)

From: <bugzilla@jessica.w3.org>
Date: Thu, 16 Oct 2014 23:03:37 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-24082-2486-AVFyWqqlph@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=24082

--- Comment #11 from David Dorwin <ddorwin@google.com> ---
(In reply to Joe Steele from comment #10)
> (In reply to Joe Steele from comment #8)
> > * Support for application data 
> > It would be very helpful to be able to add custom data from the application
> > that could then be signed by the CDM as part of the key request. 
> 
> This is still an issue. It can (and will if not if addressed in the spec) be
> implemented by applications via modifying the initData passed to the CDM to
> contain the additional information desired or by browsers supporting
> non-standard additional parameters to the createSession/generateRequest
> methods. Neither of these seems to add to interoperability. 

This would be an inappropriate misuse of the EME APIs, be an abuse of initData,
and NOT be spec-compliant. Allowing such data to be passed via some proprietary
key system protocols would itself inhibit interoperability. See comment #5.

More generally, it is concerning to (again [1]) see you imply implementation of
non-standard APIs or behavior should the spec process not have a specific
outcome.

> (In reply to David Dorwin from comment #9)
> > In addition to interoperability, such unvetted extensions may also
> > compromise the security and privacy properties of the spec. Likewise,
> > supporting such extensions would make it difficult to reason about such
> > properties.
> 
> This is veering into the secure origin discussion in bug 26332. The channel
> between the application and the CDM already exists. Adding additional data
> from the same source to the channel does not change the security calculus.
> We are just talking about the semantics of how it gets added, not whether it
> can be added at all. 

To clarify, my comment was general and did not apply to any specific
extension(s).

This was a general statement about unspecified or non-normative functionality
making such analysis and specification difficult, if not impossible. This is
not necessarily related to the secure origin bug; it could also affect the user
agent (i.e. origin considerations).

> > I believe we have sufficient points to extend the standardized feature set
> > in the future if necessary. For example, SessionType and
> > MediaKeySystemOptions.
> 
> I think we are getting closer. But this issue still exists. It can be worked
> around as I mentioned above, but I don't think that what I described is the
> right solution. The right solution is to either eliminate the need for this
> extension or have explicit support for it.

If you think there is a missing feature, we should discuss it (in a different
thread) rather than just allowing or implementing proprietary extensions.
However, I believe this specific feature has already been discussed multiple
times.

[1] http://www.w3.org/2014/08/26-html-media-minutes.html#item08

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Thursday, 16 October 2014 23:03:38 UTC