W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] Escaping mixed-content blocking for video distribution

From: Brian Smith <brian@briansmith.org>
Date: Wed, 12 Nov 2014 14:39:48 -0800
Message-ID: <CAFewVt6xjJXwN5dDvvzopOO44KqwXWB6vOnB0Ad2E1+SkZ_hsA@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 3, 2014 at 10:25 AM, Mark Watson <watsonm@netflix.com> wrote:
> I expect most people are familiar with the debate as to whether Encrypted
> Media Extensions should require a secure origin and also the fact that that
> debate might become moot if it were possible to deliver video content over
> HTTP on an HTTPS site (including video fetched using XHR and played using
> the Media Source Extensions).

Mark,

First of all, most/all browsers already automatically load
mixed-content video presented through <video>. But, you're asking
browsers to loosen the rules for XHR, which is very different. In
particular, although you keep mentioning video, the browser has no way
to know that you're planning to feed the result of your XHR into a
video player. In particular, in order to use MSE, you have to give all
the bytes from the XHR to Javascript code, and that Javascript code
could do anything with the data, whether or not it feeds it through
MSE.

AFAICT. In order for browsers to be able to appropriately scope the
allowance for mixed content that you are asking for, a purely
declarative mechanism for MSE would be needed. But, there is no such
declarative mechanism and I don't think there is any hope for one.
That means that the only options appear to be an
inappropriately-widely-scoped exemption for XHR or no new exemption at
all. There doesn't seem to be much middle ground for a compromise.

Cheers,
Brian
Received on Wednesday, 12 November 2014 22:40:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC