W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] Escaping mixed-content blocking for video distribution

From: Mark Watson <watsonm@netflix.com>
Date: Wed, 12 Nov 2014 14:50:39 -0800
Message-ID: <CAEnTvdAOixDNM7QuaZZi6TViEQSGvhJVRqfgy_3Jd0EFsFFxvQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 12, 2014 at 2:39 PM, Brian Smith <brian@briansmith.org> wrote:

> On Mon, Nov 3, 2014 at 10:25 AM, Mark Watson <watsonm@netflix.com> wrote:
> > I expect most people are familiar with the debate as to whether Encrypted
> > Media Extensions should require a secure origin and also the fact that
> that
> > debate might become moot if it were possible to deliver video content
> over
> > HTTP on an HTTPS site (including video fetched using XHR and played using
> > the Media Source Extensions).
>
> Mark,
>
> First of all, most/all browsers already automatically load
> mixed-content video presented through <video>. But, you're asking
> browsers to loosen the rules for XHR, which is very different. In
> particular, although you keep mentioning video, the browser has no way
> to know that you're planning to feed the result of your XHR into a
> video player. In particular, in order to use MSE, you have to give all
> the bytes from the XHR to Javascript code, and that Javascript code
> could do anything with the data, whether or not it feeds it through
> MSE.
>

​Yes. If this is a big concern, then it would be a reason to consider the
video-specific option I outlined in my earlier mail.​

However, what is the concern with respect to passing the XHR bytes to
Javascript ? If this is a security concern, isn't this mitigated by the
requirement for the script to provide a hash of the response ? Presumably,
if the script has a hash of the response, then it could probably obtain the
actual response some other way (indeed, it could request it over HTTPS).
So, we're not giving any bytes to Javascript that it couldn't get anyway.

...Mark


>
> AFAICT. In order for browsers to be able to appropriately scope the
> allowance for mixed content that you are asking for, a purely
> declarative mechanism for MSE would be needed. But, there is no such
> declarative mechanism and I don't think there is any hope for one.
> That means that the only options appear to be an
> inappropriately-widely-scoped exemption for XHR or no new exemption at
> all. There doesn't seem to be much middle ground for a compromise.
>
> Cheers,
> Brian
>
Received on Wednesday, 12 November 2014 22:51:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC