[encrypted-media] Require that the license match the session type

ddorwin has just created a new issue for
https://github.com/w3c/encrypted-media:

== Require that the license match the session type ==
The [`update()`
algorithm](https://w3c.github.io/encrypted-media/#update) currently
says:
>If sessionType is `"persistent-license"`
>>Continue processing sanitized response, storing the license, key(s),
or similar session data contained in sanitized response as permitted
or instructed by the license. Such data must be stored such that only
the origin of this object's Document can access it.

There is similar text for `"persistent-release-message"`.

This was intentionally written to be permissive - for example,
allowing a temporary license to be provided. The purpose of the type
was to (a) indicate that the application was taking responsibility for
managing persistence and (b) tell the CDM the type of license request
to generate.

However, an application expecting an offline license might be confused
if the UA/CDM silently accept a temporary license. Currently, the only
way to detect this would be to close() the session and try to `load()`
it. If a `"persistent-license"` session implies that the license/keys
are persisted, the application could simply check for the keys in the
`keyStatuses` attribute.

In addition, if we define algorithm behavior based on the session type
(issue #16), the license probably needs to match the session type.

The only loss of functionality I can think of is that an application
couldn't _always_ specify `"persistent-license"` and let the server or
some other part of the application decide whether to issue a temporary
license. It seems unreasonable for the entire application and server
to be in sync. (Note: The license server still gets to decide
_whether_ to issue a persistent license, but issuing a temporary
license for a persistent session would fail.)

See https://github.com/w3c/encrypted-media/issues/26

Received on Monday, 26 January 2015 22:02:51 UTC