html5/spec Overview.html,1.2010,1.2011 from Ian Hickson via cvs-syncmail on 2009-02-19 (public-html-commits@w3.org from February 2009)

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Thu, 19 Feb 2009 09:14:25 +0000
To: public-html-commits@w3.org
Message-Id: <E1La4zB-0007SW-83@lionel-hutz.w3.org>
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv28658

Modified Files:
	Overview.html 
Log Message:
Fill in media element security/privacy section. (whatwg r2840)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.2010
retrieving revision 1.2011
diff -u -d -r1.2010 -r1.2011
--- Overview.html	19 Feb 2009 08:16:30 -0000	1.2010
+++ Overview.html	19 Feb 2009 09:14:22 -0000	1.2011
@@ -16278,10 +16278,38 @@
      <td><code>Event</code>
      <td>Either the <code title=dom-media-volume><a href=#dom-media-volume>volume</a></code> attribute or the <code title=dom-media-muted><a href=#dom-media-muted>muted</a></code> attribute has changed. Fired after the relevant attribute's setter has returned.
      <td>
-  </table><h5 id=security-and-privacy-considerations><span class=secno>4.8.10.14 </span>Security and privacy considerations</h5><p class=XXX>Talk about making sure interactive media files
-  (e.g. SVG) don't have access to the container DOM (XSS potential);
-  talk about not exposing any sensitive data like metadata from tracks
-  in the media files (intranet snooping risk)<h4 id=the-canvas-element><span class=secno>4.8.11 </span>The <dfn id=canvas><code>canvas</code></dfn> element</h4><dl class=element><dt>Categories</dt>
+  </table><h5 id=security-and-privacy-considerations><span class=secno>4.8.10.14 </span>Security and privacy considerations</h5><p>The main security and privacy implications of the
+  <code><a href=#video>video</a></code> and <code><a href=#audio>audio</a></code> elements come from the
+  ability to embed media cross-origin. There are two directions that
+  threats can flow: from hostile content to a victim page, and from a
+  hostile page to victim content.</p><hr><p>If a victim page embeds hostile content, the threat is that the
+  content might contain scripted code that attempts to interact with
+  the <code>Document</code> that embeds the content. To avoid this,
+  user agents must ensure that there is no access from the content to
+  the embedding page. In the case of media content that uses DOM
+  concepts, the embedded content must be treated as if it was in its
+  own unrelated <a href=#top-level-browsing-context>top-level browsing context</a>.<p class=example>For instance, if an SVG animation was embedded in
+  a <code><a href=#video>video</a></code> element, the user agent would not give it
+  access to the DOM of the outer page. From the perspective of scripts
+  in the SVG resource, the SVG file would appear to be in a lone
+  top-level browsing context with no parent.</p><hr><p>If a hostile page embeds victom content, the threat is that the
+  embedding page could obtain information from the content that it
+  would not otherwise have access to. The API does expose some
+  information: the existence of the media, its type, its duration, its
+  size, and the performance characteristics of its host. Such
+  information is already potentially problematic, but in practice the
+  same information can more or less be obtained using the
+  <code><a href=#the-img-element>img</a></code> element, and so it has been deemed acceptable.<p>However, significantly more sensitive information could be
+  obtained if the user agent further exposes metadata within the
+  content such as subtitles or chapter titles. This version of the API
+  does not expose such information. Future extensions to this API will
+  likely reuse a mechanism such as CORS to check that the embedded
+  content's site has opted in to exposing such information. <a href=#references>[CORS]</a><p class=example>An attacker could trick a user running within a
+  corporate network into visiting a site that attempts to load a video
+  from a previously leaked location on the corporation's intranet. If
+  such a video included confidential plans for a new product, then
+  being able to read the subtitles would present a confidentiality
+  breach.<h4 id=the-canvas-element><span class=secno>4.8.11 </span>The <dfn id=canvas><code>canvas</code></dfn> element</h4><dl class=element><dt>Categories</dt>
    <dd><a href=#flow-content-0>Flow content</a>.</dd>
    <dd><a href=#phrasing-content-0>Phrasing content</a>.</dd>
    <dd><a href=#embedded-content-2>Embedded content</a>.</dd>
Received on Thursday, 19 February 2009 09:14:37 UTC