Re: [EME] Mitigating the impact of HTTPS on content providers

On Fri, Oct 24, 2014 at 7:53 PM, David Dorwin <ddorwin@google.com> wrote:
> Temporarily allow Mixed Content XHRs to be provided to MSE when EME is in
> use.

How do you track the "provided to MSE" part? Having the browser keep
track that data from mixed-content XHR travels only to MSE doesn't
seem particularly attractive.

Better alternative: Before the XHR request is sent, allow the
application to set a content type expectation and a response body hash
expectation on XHR. If these are set, mixed-content XHR is attempted.
If the response content type matches the content type expectation and
a hash computed over the response body matches the hash expectation,
the attempted XHR does not fail and the application is allowed to use
the retrieved data in any way possible with XHR normally after the
load has been completed (it has to complete for the hash to be
checked), including passing the data to MSE.

-- 
Henri Sivonen
hsivonen@hsivonen.fi
https://hsivonen.fi/

Received on Monday, 27 October 2014 14:30:35 UTC