W3C home > Mailing lists > Public > public-html-media@w3.org > February 2015

RE: IE Blog Posting on HLS and DASH Type 1 support

From: Jerry Smith (WINDOWS) <jdsmith@microsoft.com>
Date: Thu, 12 Feb 2015 01:15:29 +0000
To: Aaron Colwell <acolwell@google.com>, "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <BY2PR03MB0418141FC4558C431E8E552A4220@BY2PR03MB041.namprd03.prod.outlook.com>
Hi Aaron:

Thanks for your comments (and sorry for my delay getting back)!

Some responses:


-          On CORS URL verification:  Yes, each target URL will be verified, and only allowed origins will be used.

-          On mixed content:  The DASH manifest can contain either http or https URLs and right now we use what they define.  This seems equivalent to allowing app control over mixed content decisions.  If, by policy, we somehow require the document origin security to be applied to content, sites and DASH manifests would need to adjust.  I believe the DASH Type 1 model would be able to accommodate that.

-          On tainting:  Is there a specific case you would like addressed assuming the URLs are validated before use?

I agree in general that the language describing video elements is stretched some by having a manifest src, and it was one reason I posted the blog to this mail list.  We believe this model is desirable though.  Is there consensus that some clarification is needed?  Where should it reside?

Jerry

From: Aaron Colwell [mailto:acolwell@google.com]
Sent: Friday, January 30, 2015 10:10 AM
To: Jerry Smith (WINDOWS); public-html-media@w3.org
Subject: Re: IE Blog Posting on HLS and DASH Type 1 support

Hi Jerry,
Congrats. I've got a few questions though:
1. Do all the URLs inside the manifests go through CORS verification?
2. What is mixed-content & tainting behavior if the manifests and/or content URLs don't have the same origin or are a mix of http & https content?

It would be good to get these behaviors specified in the HTML spec since the current text seems to implicitly assume that the URL passed to .src is the only URL that needs to be considered for media playback. The media URLs in DASH & HLS manifests kind of violate that assumption. It would be nice to get concensus on the appropriate behavior so everyone implements the same thing and it is consistent with current web platform security best practices.

Aaron

On Thu Jan 29 2015 at 5:25:52 PM Jerry Smith (WINDOWS) <jdsmith@microsoft.com<mailto:jdsmith@microsoft.com>> wrote:
Just a quick note.  Microsoft has been working to implement HLS and DASH Type 1 streaming on top of MSE.  We posted some information on this today on the IE Blog:  http://blogs.msdn.com/b/ie/archive/2015/01/29/simplified-adaptive-video-streaming-announcing-support-for-hls-and-dash-in-windows-10.aspx


Let me know if you have any feedback.

Jerry
Received on Thursday, 12 February 2015 01:15:59 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 12 February 2015 01:16:00 UTC