W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

RE: [mixed-content] DASH Players and Mixed Content

From: Jon Piesing <Jon.Piesing@tpvision.com>
Date: Fri, 18 Sep 2015 15:00:26 +0000
To: Anne van Kesteren <annevk@annevk.nl>, "Nottingham, Mark" <mnotting@akamai.com>
CC: Brad Hill <hillbrad@gmail.com>, Ben Gidley <ben@gidley.co.uk>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <61761EDC91441E408304E42BC16CC161606D9D73@BEBRUEX003.tpvision.com>
I work for TP Vision who develop and design Philips branded TV sets for Europe, South America and South-East Asia.
I've been lurking here for a while & while we're not a W3C member, we are putting DASH players in our TV sets and working with video distributors to get DASH content to them.

> On Fri, Sep 18, 2015 at 3:47 PM, Nottingham, Mark <mnotting@akamai.com>
> wrote:
> > On 18 Sep 2015, at 3:04 am, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> >> Do you mean that the majority of streaming going forward will not go
> >> over HTTPS? Or that it will go over HTTPS but that CORS or
> >> same-origin is impossible? Because in all other scenarios we're not
> >> dealing with opaque responses.
> >
> > This was in relation to Ryan's proposal for Video over HTTP for HTTPS pages:
> >
> > https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0371.htm

> > l
> 
> Does that you mean you expect the majority of streaming going forward to
> not use HTTPS? And in addition, that you need access to the contents of
> Mixed Content streams (whereas CORS currently isn't available for Mixed
> Content)?

We expect companies who do not own and operate their own CDN to be very reluctant to move to HTTPS for streaming. If Mixed Content forces them to choose between :
1) streaming over HTTPS, or
2) working within the limitations of what can be done with the <video> element on various UAs, or
3) using MSE with HTML pages delivered over HTTP rather than HTTPS 
then we expect they will choose the second or third of these and avoid the first except where there's no other way to reach the people concerned. DASH over HTTP is already too much for some smaller content providers who just choose the second of these.

There seems to be some interest in EME 'Clear Key' over HTTP. Will the benefits of doing 'Clear Key' over HTTPS really justify the extra cost & hassle relative to doing it over HTTP?

We agree with the comments from Akamai about many use cases needing access to the contents of the stream. There are more examples beyond those given - e.g. in-band captions/subtitles.

It's a pity that, in spite of its general benefits, Mixed Content seems to cause significant collateral damage to MSE.

Regards

Jon
Received on Friday, 18 September 2015 15:01:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC