- From: David Walp <David.Walp@microsoft.com>
- Date: Wed, 2 Jul 2014 02:43:42 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi, Per my action item from the last conference call, here is Microsoft's feedback on the Mixed Content specification. Generally Microsoft is supportive of publishing the Mixed Content draft as a FPWD. We do have one area of concern with the draft. We've heard from customers that would like to play unsecure media segments from within a secure web page largely for performance reasons, and also that hosted media can present mixed content scenarios even if the media site alone doesn't. These media segments are retrieved as arraybuffer types via XHR and played back via MSE or EME. The current proposal would prevent this from happening. To address this use case we would propose that "arraybuffer" response types be categorized as "Optionally-blockable passive content". Although there are methods to pass non-media content through an array buffer, we think the both server and client would need to participate (agree in the encoding) in order to use an arraybuffer as a security hole. Because both sides would need to be complicit, the exploitable surface area seems acceptable. Cheers, _dave_
Received on Wednesday, 2 July 2014 12:27:32 UTC