- From: Nick Doty via GitHub <sysbot+gh@w3.org>
- Date: Mon, 06 Nov 2017 23:17:26 +0000
- To: public-tt@w3.org
npdoty has just created a new issue for https://github.com/w3c/imsc: == privacy and cross-origin policies not clear == In discussions on a recent Privacy Interest Group (PING) call, there was confusion about [Security and Privacy related to external images](https://www.w3.org/TR/ttml-imsc1.0.1/#privacy-and-security-considerations-non-normative). 1. Typically, the Web allows loading images in the browser from across origins, and the current text seems to suggest otherwise. 2. It's not clear how an implementer of IMSC should handle CSP policies on the containing page, which could prohibit loading images from an external source. I would think that CSP policies on the current page should apply to the loading of resources from elsewhere for the subcaptions of a video on that page, because images from other origins could potentially allow some other origin to deceive the user about the contents of the current page. That said, perhaps there isn't the assumption that this is connected to a particular Web document and its origin, or its local security policies, in which case it would be hard to give any guidance related to those security properties. Please view or discuss this issue at https://github.com/w3c/imsc/issues/280 using your GitHub account
Received on Monday, 6 November 2017 23:17:29 UTC