- From: ddorwin via GitHub <sysbot+gh@w3.org>
- Date: Thu, 24 Nov 2016 01:14:22 +0000
- To: public-html-media@w3.org
ddorwin has just created a new issue for https://github.com/w3c/encrypted-media: == Require explicit enabling of EME in nested contexts == Nested contexts/iframes should only be able to access EME if the embedding app explicitly enables it. The reasons are similar to other features that [will] have such limitations. Specifically, this helps mitigate many security and privacy concerns, especially where the top-level context is not complicit. This includes some of the concerns in #101. [Feature Policy](https://github.com/wicg/feature-policy/) appears to be the way forward for these purposes. The default policies would be: * Enable: `self` for top-level browsing context, and `null` for nested browsing context * Disable: `null` The changes to the EME spec itself would likely be similar to those [proposed for Web MIDI](https://github.com/WICG/feature-policy/issues/2). Basically, the promise returned by `requestMediaKeySystemAccess()` would be rejected with `SecurityError` if EME is disabled. Please view or discuss this issue at https://github.com/w3c/encrypted-media/issues/364 using your GitHub account
Received on Thursday, 24 November 2016 01:14:28 UTC