- From: Harry Halpin via GitHub <sysbot+gh@w3.org>
- Date: Tue, 16 Aug 2016 11:26:57 +0000
- To: public-html-media@w3.org
hhalpin has just created a new issue for https://github.com/w3c/encrypted-media: == Turn off EME by default and activate only with express permission from user == I think this text would help address the concerns over the EME. It should be added in the Security Section part of the current EME spec: https://www.w3.org/TR/encrypted-media/#security "A conforming implementation of this specification MUST ensure that this API cannot be used without the user's express permission due to the inherent risks in the activation of a CDM in a user agent. The API MUST be disabled by default, and should only be activated when the user gives express consent and is fully informed on a per-origin basis." In particular, this is stronger text than is currently included and could replace this text under ""Per-origin user alerts / prompts and permissions"": "User Agents SHOULD ensure that users are fully informed and/or give explicit consent before a Key System that presents security concerns that are greater than other user agent features (e.g. DOM content) may be accessed by an origin" as this text does mandate off by default, uses MUST, and notes that an EME-enabled Key System *always* presents security concerns that are greater other user agent features (due to DMCA). This is explicitly different in scope and effect from : https://github.com/w3c/encrypted-media/issues/288 Please view or discuss this issue at https://github.com/w3c/encrypted-media/issues/304 using your GitHub account
Received on Tuesday, 16 August 2016 11:27:05 UTC