- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 12 Nov 2014 14:39:48 -0800
- To: Mark Watson <watsonm@netflix.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 3, 2014 at 10:25 AM, Mark Watson <watsonm@netflix.com> wrote: > I expect most people are familiar with the debate as to whether Encrypted > Media Extensions should require a secure origin and also the fact that that > debate might become moot if it were possible to deliver video content over > HTTP on an HTTPS site (including video fetched using XHR and played using > the Media Source Extensions). Mark, First of all, most/all browsers already automatically load mixed-content video presented through <video>. But, you're asking browsers to loosen the rules for XHR, which is very different. In particular, although you keep mentioning video, the browser has no way to know that you're planning to feed the result of your XHR into a video player. In particular, in order to use MSE, you have to give all the bytes from the XHR to Javascript code, and that Javascript code could do anything with the data, whether or not it feeds it through MSE. AFAICT. In order for browsers to be able to appropriately scope the allowance for mixed content that you are asking for, a purely declarative mechanism for MSE would be needed. But, there is no such declarative mechanism and I don't think there is any hope for one. That means that the only options appear to be an inappropriately-widely-scoped exemption for XHR or no new exemption at all. There doesn't seem to be much middle ground for a compromise. Cheers, Brian
Received on Wednesday, 12 November 2014 22:40:16 UTC