Re: Comments on the EME opinion

On Wed, Oct 22, 2014 at 12:17 AM, Henri Sivonen <hsivonen@hsivonen.fi>
wrote:

> On Sat, Oct 18, 2014 at 12:23 AM, Mark Watson <watsonm@netflix.com> wrote:
> > On Fri, Oct 17, 2014 at 2:08 PM, Domenic Denicola
> > <domenic@domenicdenicola.com> wrote:
> >> Finally there's the aspect that the TAG would prefer any
> privacy-sensitive
> >> features (of which EME is one, I believe) to be restricted to secure
> >> origins. Search for "RESOLUTION: We support..." in
> >>
> https://github.com/w3ctag/meetings/blob/gh-pages/2014/sept29-oct1/09-29-f2f-minutes.md
> .
> >
> > In practice there's no reason for EME in browsers to be any more privacy
> > sensitive than regular cookies.
>
> I agree that that's true in *principle*. However, as far as *practice*
> goes, is any browser other than Firefox known to have made or be on
> track making it true in *practice*? I don't recall any browser vendor
> other than Mozilla having made public statements about endeavors to
> make it so. OTOH, the concerns Googlers raised in
> https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332 strongly suggest
> that they have a concrete reason (that they don't name) to be worried
> about it not being true for some key system / CDM.
>

​Google, and other UA vendors, will have to speak for themselves. But my
point was that the UA should know whether the CDM exposes identifiers in a
way that raises any greater privacy concern than regular cookies. If it
does raise such concerns - or it for some reason they don't know - then the
UA implementor might take the view that the use of that CDM should be
restricted to HTTPS​. If not, why should they be required to restrict it ?

...Mark




>
> --
> Henri Sivonen
> hsivonen@hsivonen.fi
> https://hsivonen.fi/
>