W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [whatwg] Fetch, MSE, and MIX

From: Mark Watson <watsonm@netflix.com>
Date: Fri, 17 Apr 2015 08:37:19 -0700
Message-ID: <CAEnTvdCc42KNntq9x+pjtS0K-ZWDkGNNWjnCifXsVc4iUQOAXA@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Martin Thomson <martin.thomson@gmail.com>, Aaron Colwell <acolwell@google.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Matthew Wolenetz <wolenetz@google.com>, WHATWG <whatwg@whatwg.org>, Domenic Denicola <d@domenic.me>, "public-html-media@w3.org" <public-html-media@w3.org>
On Thu, Apr 16, 2015 at 9:57 AM, Ryan Sleevi <sleevi@google.com> wrote:

> We think this is still an important issue that needs solving if we're to
> offer a viable migration path from existing plugin-based solutions, and for
> content providers that may not have teams of engineers like Mark mentioned
> that can focus on the organization-specific challenges in getting to a
> secure default.

‚ÄčI have trouble understanding this comment. The problems we had, and
solved, in nginx, were entirely generic ‚Äčand in no way
"organization-specific". Anyone using nginx for the most basic web serving
of large objects at any kind of scale would have the same issue. nginx is
widely used and our solution will be available to anyone.

I don't mean to make a point for or against the mixed content approach, but
just that your comment above missed the point.


> As it stands, the absence of this solution makes several much less secure
> or interoperable options more desirable, both from a technological
> perspective and a user-experience. While I'm happy to hear that Netflix was
> able to solve their challenges much sooner than anticipated, and am
> appreciative that they focused resources to solving the problem, I think as
> we look to provide a compelling story for EME over wholly-proprietary (...
> rather than partially-proprietary) solutions, or look to improve the user
> experience in streaming video with MSE vs the <video> tag, this is still
> very much needed.
Received on Friday, 17 April 2015 15:38:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC