Re: [EME] Mitigating the impact of HTTPS on content providers from Mark Watson on 2014-10-24 (public-html-media@w3.org from October 2014)

From: Mark Watson <watsonm@netflix.com>
Date: Fri, 24 Oct 2014 10:23:58 -0700
To: David Dorwin <ddorwin@google.com>
Cc: "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <CAEnTvdArjejymb5OvGLEXBiADu26q9RnxjjBUghDwKp32YpVMA@mail.gmail.com>

This is a good direction to take the discussion, but I'd like to see the
pre-emptive change under bug 26332 reverted first.

...Mark

On Fri, Oct 24, 2014 at 9:53 AM, David Dorwin <ddorwin@google.com> wrote:

> The main objection to requiring secure origins for some or all key systems
> seems to be the impact this would have on content providers using MSE -
> mixed content restrictions would require them to also serve the encrypted
> media streams from a secure origin. While there is still some debate as to
> the actual impact, I'd like to start a brainstorm and discussion of ideas
> on how we might reduce the (immediate) impact on content providers while
> enabling user agents to require secure origins (in a reasonable timeframe).
>
> Here are some ideas to start the brainstorming. (I don't necessarily
> support any of them at this point.)
>
>    1. Define a flag day by which HTTPS must be supported/required.
>       1. See http://lists.w3.org/Archives/Public/www-tag/2014Oct/0100.html
>       .
>       2. There might be some sort of timeline / phased-in transition.
>          1. For example, ramping up the amount of HTTPS traffic.
>       2. Temporarily allow Mixed Content XHRs to be provided to MSE when
>    EME is in use.
>       1. Non-secure XHR responses passed to MSE would temporarily be
>       considered Optionally-blockable Content like normal video.src content.
>       2. Given a choice, securing EME is probably more important than
>       preventing use of mixed content with MSE. (The alternative seems to be that
>       none of the bytes are secure.)
>       3. We would need to consider the security implications.
>       4. This exception would be eventually be phased out as in #1.
>       5. I'm not sure how practical this would be for implementions.
>    3. Establish an informal flag day, such as an agreement among major
>    browser vendors and/or content providers.
>       1. The goal would be to prevent content providers from segmenting
>       the platform by refusing to support user agents that choose to require
>       HTTPS. (See the second to last paragraph in
>       http://lists.w3.org/Archives/Public/www-tag/2014Oct/0096.html.)
>
>
> David
>

Received on Friday, 24 October 2014 17:24:26 UTC