W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Netflix, MSE, and EME

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 14 Nov 2014 23:49:27 +0100
Message-ID: <CADnb78ikCJFg1fkQ-NwS7fRDyAk7TajJziVmZ6RPtwQUCjmfEg@mail.gmail.com>
To: Henri Sivonen <hsivonen@hsivonen.fi>, Mark Watson <watsonm@netflix.com>, David Dorwin <ddorwin@google.com>, Mike West <mkwst@google.com>, Jake Archibald <jaffathecake@gmail.com>, "public-html-media@w3.org" <public-html-media@w3.org>, WebAppSec WG <public-webappsec@w3.org>, Ryan Sleevi <sleevi@google.com>
Here are some presumed facts:

* Service workers require TLS.
* Since we do not want service workers to affect legacy mixed content,
fetch() with mode /no CORS/ can still fetch non-TLS content. The
response to this is an opaque blob. (I don't like this, but Jake tells
me this is how Chrome will do it.)
* Netflix does not care about reading the contents of a response, it
just wants to feed it into <video>.

Given this, if we enable MSE to work with opaque responses, EME can
require TLS, and Netflix can use TLS, while still not using it for

Received on Friday, 14 November 2014 22:49:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC