Re: [whatwg] Fetch, MSE, and MIX

On 15 April 2015 at 13:50, Ryan Sleevi <sleevi@google.com> wrote:
> While that solves the direct script access to response.body/the stream, I
> understood Anne's remark to be more about filtering/transitive operations on
> the Stream, which might vend new Streams, and thus lose the security
> protections.

Yes, this is exactly the sort of thing we deal with in MediaStreams:
you can render a cross-origin video stream to <video>, then capture
the output of the video tag, thereby creating a new MediaStream.  Same
goes for rendering to <video>, then <canvas>.  It's a little different
for WebAudio, the decision was to not allow the cross-origin content
to enter the graph.

My only point was that we have a precedent for handling this exact
sort of problem.

> Or perhaps I'm misunderstanding, and your remark about reading Response.body was discussing attempts directly by the script to access the body? In which case, I think this would be Domenic's remark that it shouldn't be possible to get a reader.

Yes, I am agreeing with Domenic.

BTW, do you care that it might be possible to learn the length of the data?

Received on Wednesday, 15 April 2015 21:04:30 UTC