- From: <bugzilla@jessica.w3.org>
- Date: Wed, 06 Mar 2013 09:21:38 +0000
- To: public-html-media@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=21203 Bug ID: 21203 Summary: EME leaks information cross-origin Classification: Unclassified Product: HTML WG Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: Encrypted Media Extensions Assignee: adrianba@microsoft.com Reporter: hsivonen@iki.fi QA Contact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-media@w3.org Netflix-style services need to be able to load the media file from a CDN, which implies that the case where the media file is different-origin with the document that hosts the media element has to work. However, the spec fails to cover how the same-origin policy applies in this case. The API exposes the initialization data and key IDs from the media file to the origin of the media element. The spec should: 1) Explicitly document what information gets exposed cross-origin. AND 2) Either: a) Explain why exposing that information cross-origin is harmless considering the threats that the same-origin policy generally defends against. OR b) Make the cross-origin case not work by default and explain how CORS can be used to make it work. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Wednesday, 6 March 2013 09:21:40 UTC