- From: <bugzilla@jessica.w3.org>
- Date: Fri, 24 Oct 2014 16:59:05 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332
David Dorwin <ddorwin@google.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|adrianba@microsoft.com |ddorwin@google.com
Whiteboard|Security, Privacy |Security, Privacy, TAG
--- Comment #92 from David Dorwin <ddorwin@google.com> ---
The current text is insufficient from a security and privacy perspective.
Requiring a secure origin addresses many different issues and addresses both
the TAG's resolution and spec review feedback. In all the discussion over the
last three months, there have been no proposals for concrete alternatives that
address as many issues or can definitely be enacted in all implementations. It
is also possibly the only mitigation that can be implemented entirely within
the user agent.
Rather than saying EME shouldn't require a secure origin because it might be
possible to implement a CDM that doesn't have these concerns, we should require
it unless normative requirements that sufficiently address the concerns are
defined and met.
I am going to implement the secure origin requirement for now. We can continue
discussing potential mitigations for content providers. (I've started a
discussion at
http://lists.w3.org/Archives/Public/public-html-media/2014Oct/0079.html.) If we
come up with normative solutions or exceptions, we can consider removing the
absolute requirement. If you have specific ideas for addressing the security
and/or privacy concerns OR the impact on content providers, please start a
thread or file a bug.
--
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Friday, 24 October 2014 16:59:07 UTC