Re: EME: Rendering behavior undefined from Hans Schmucker on 2014-01-12 (public-html-media@w3.org from January 2014)

From: Hans Schmucker <hansschmucker@gmail.com>
Date: Sun, 12 Jan 2014 22:52:33 +0100
To: robert@ocallahan.org
Cc: "<public-html-media@w3.org>" <public-html-media@w3.org>
Message-ID: <CAMtPrS_87UEU0o=dse0xj-Zu6iYAst5TBWN01sjdBNkQVvBcBA@mail.gmail.com>
Thanks for the reply roc.

I actually agree with you on almost every single point. I'm not very happy
about EME either... but since it probably will happen, I at least want to
make sure it's stable, delivering predictable results without requiring
web-developers to test against every single UA individually. Right now, EME
as a standard pretty much says: Take a stream, hand it somehow to something
which will do something with it, which is not exactly what I'd expect of a
W3C standard.

If Microsoft and Google are already shipping implementations, while the
standard is not even nearly finalized, then I would honestly say that
that's their problem. Google's Chrome at least has the capabilities to
adapt, with their background-update system. In case of Microsoft... well,
maybe that'll get them thinking. Web developers will probably take a while
to use EME, so I don't think any changes right now are a major issue for
them.

About the security implications. Your concerns are very, VERY valid. But
the spec right now doesn't protect against any of this and saying "you can
make it secure if you like" to UA and CDM vendors is probably the worst
thing to do. This way, people embedding EME-protected content may think
that it's secure, because it is in their browser, while it's insecure in
another one.

The only solution I see is to again include a mandatory behavior for CDMs
in the spec... one different from the one I proposed earlier, which
addresses these issues, by making it mandatory for CDMs that render their
content directy to obey a a series of clipping rects or a mask from the UA.
It's bad. I know it's bad. But at least it would be consistent.

--hans


On Sun, Jan 12, 2014 at 10:32 PM, Robert O'Callahan <robert@ocallahan.org>wrote:

> On Sat, Jan 11, 2014 at 3:18 AM, Hans Schmucker <hansschmucker@gmail.com>wrote:
>
>> I suggest that we define a rendering behavior and do make it normative.
>> Some ideas:
>>
>> 1. EME-protected content rendering happens in a separate frame, which
>> overlays any HTML, SVG or other content that the user-agent may be able to
>> process. However, a user-agent may display its own controls above the
>> EME-protected content.
>>
>> 2. EME-protected content is not clipped, except against the primary
>> viewport (not, for example, that of an iframe). The area of the
>> EME-protected element is defined as the rectangle (as the defined by the
>> HTML box model) occupied by the element.
>>
>> 3. The Coordinates that define the EME-protected rendering area are
>> derived from the VIDEO element. However the transformation is not applied
>> on a visual basis, meaning that for example an SVG offset filter would not
>> play into the calculation. The result is identical to the result of
>> getBoundingClientRect.
>>
>> 4. EME-protected content is not transparent. The user-agent must fill the
>> area with solid black first.
>>
>> 5. Rendering happens in content-order. Where two EME-protected elements
>> overlap, the last element will be shown.
>>
>> 6. It is inaccessible to any other web apis. No CSS filters, SVG Filters,
>> transformations, zoom controls and so on affect it
>>
>> 7. Even if the user-agent is tasked with rendering the image, the
>> behavior remains unchanged.
>>
>
> These restrictions drastically limit the utility of EME-protected content.
> Imposing these lowest-common-denominator requirements on all UAs, even
> those which can do much better, won't be good for EME. I'm actually fine
> with that, since I want EME usage to be minimized, but I suspect it won't
> fly.
>
> Another issue is that many of these suggestions, especially #2, create
> security problems. It's highly unsafe to allow content from an IFRAME in
> one domain to escape clipping and occlusion imposed by a parent document in
> another domain. If a UA can't clip the EME content properly, then I'd
> recommend disallowing usage of EME in cross-domain IFRAMEs ... but that
> would preclude EME in the common case of "embedded Youtube IFRAME".
>
> Yet another issue is that Google, Apple and Microsoft are already shipping
> EME, presumably without these restrictions, so you now have a compatibility
> problem where imposing these restrictions on them could break existing
> sites.
>
> Rob
> --
> Jtehsauts  tshaei dS,o n" Wohfy  Mdaon  yhoaus  eanuttehrotraiitny  eovni
> le atrhtohu gthot sf oirng iyvoeu rs ihnesa.r"t sS?o  Whhei csha iids  teoa
> stiheer :p atroa lsyazye,d  'mYaonu,r  "sGients  uapr,e  tfaokreg iyvoeunr,
> 'm aotr  atnod  sgaoy ,h o'mGee.t"  uTph eann dt hwea lmka'n?  gBoutt  uIp
> waanndt  wyeonut  thoo mken.o w
>
Received on Sunday, 12 January 2014 21:53:01 UTC