Bug 21203 - EME leaks information cross-origin
authorAdrian Bateman <adrianba@microsoft.com>
Tue, 04 Jun 2013 08:01:41 -0700
changeset 131 69dbfb8baca8
parent 130 1ac9c2205a7b
child 132 63675668846c
Bug 21203 - EME leaks information cross-origin
encrypted-media/encrypted-media.html
encrypted-media/encrypted-media.xml
encrypted-media/spec-html.xsl
--- a/encrypted-media/encrypted-media.html	Sat Jun 01 12:58:28 2013 -0700
+++ b/encrypted-media/encrypted-media.html	Tue Jun 04 08:01:41 2013 -0700
@@ -57,7 +57,7 @@
     <div class="head">
       <p><a href="http://www.w3.org/"><img src="https://www.w3.org/Icons/w3c_home" alt="W3C" width="72" height="48"></a></p>
       <h1>Encrypted Media Extensions</h1>
-      <h2 id="draft-date">W3C Editor's Draft 28 May 2013</h2>
+      <h2 id="draft-date">W3C Editor's Draft 4 June 2013</h2>
       <dl>
         <dt>This Version:</dt>
         <dd><a href="http://dvcs.w3.org/hg/html-media/raw-file/default/encrypted-media/encrypted-media.html">http://dvcs.w3.org/hg/html-media/raw-file/default/encrypted-media/encrypted-media.html</a></dd>
@@ -256,6 +256,12 @@
     This data has a container-specific format and is assumed to contain one or more generic or Key System-specific sets of initialization information.
     </p>
 
+    <h4 id="cross-origin-support">1.2.5. Cross Origin Support</h4>
+    <p>During playback, embedded media data is exposed to script in the embedding origin. In order for the API to fire <code><a href="#dom-needkey">needkey</a></code>
+    and <code><a href="#dom-keymessage">keymessage</a></code> events, <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> needs to be <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a> with the embedding page or
+    use the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-img-crossorigin">crossorigin</a> attribute on the
+    media element and CORS headers on the media data response to authorize cross-origin information exposure.
+    </p>
 
     <h2 id="extensions">2. Media Element Extensions</h2>
     <p>We extend <dfn id="media-element" title="media element"><a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-element">media element</a></dfn> to allow decryption key acquisition to be handled in JavaScript.</p>
@@ -379,7 +385,8 @@
           <li>
 <p>Use <var title="true">cdm</var> to generate a key request and follow the steps for the first matching condition from the following list:</p>
             <dl class="switch">
-              <dt>If a request is successfully generated</dt>
+              <dt>If a request is successfully generated and the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a>
+</dt>
               <dd>
               <ol>
                 <li>
@@ -491,6 +498,7 @@
           <li>If <var title="true">did store key</var> is true and the <a href="#media-element">media element</a> is <a href="#waiting-for-a-key">waiting for a key</a>, <a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">queue a task</a> to attempt to resume playback.
             <p class="non-normative">In other words, resume playback if the necessary key is provided.</p>
           </li>
+          <li><p>If <var title="true">next message</var> is not null and the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is not <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a>, jump to the <i>Error</i> step below and perform the task failed steps.</p></li>
           <li>
 <p>If <var title="true">next message</var> is not null, <a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">queue a task</a> to <a href="http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event">fire a simple event</a> named <code><a href="#dom-keymessage">keymessage</a></code> at the <code><a href="#dom-mediakeysession">MediaKeySession</a></code> object.</p>
              <p>The event is of type <code><a href="#dom-mediakeymessageevent">MediaKeyMessageEvent</a></code> and has:</p>
@@ -501,7 +509,7 @@
           </li>
           <li><p>If <var title="true">did store key</var> is true, <a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">queue a task</a> to <a href="http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event">fire a simple event</a> named <code><a href="#dom-keyadded">keyadded</a></code> at the <code><a href="#dom-mediakeysession">MediaKeySession</a></code> object.</p></li>
           <li>
-<p>If any of the preceding steps in the task failed</p>
+<p><i>Error</i>: If any of the preceding steps in the task failed</p>
               <ol>
                 <li>
 <p>Create a new <code><a href="#dom-mediakeyerror">MediaKeyError</a></code> object with the following attributes:</p>
@@ -585,7 +593,7 @@
           <li>The media element's <code><a href="#dom-keys">keys</a></code> attribute is null</li>
         </ol>
       </dd>
-      <p class="non-normative">Applications that support encrypted media should provide a <code><a href="#dom-needkey">needkey</a></code> handle and/or call <code><a href="#dom-setmediakeys">setMediaKeys()</a></code> no later than when <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is provided.</p>
+      <p class="non-normative">Applications that support encrypted media should provide a <code><a href="#dom-needkey">needkey</a></code> handler and/or call <code><a href="#dom-setmediakeys">setMediaKeys()</a></code> no later than when <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is provided.</p>
       <p class="non-normative">If the user agent does not support decryption of this <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a>, it should report the same error it would for any other unsupported media data (e.g. <code>MEDIA_ERR_SRC_NOT_SUPPORTED</code>).</p>
     </dl>
 
@@ -801,7 +809,15 @@
         </ol>
       </li>
       <li>
-<p><i>Need Key</i>: <a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">queue a task</a> to <a href="http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event">fire a simple event</a> named <code><a href="#dom-needkey">needkey</a></code> at the <a href="#media-element">media element</a>.</p>
+<p><i>Need Key</i>:</p>
+        <dl class="switch">
+          <dt>If the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a>
+</dt>
+          <dd>
+<a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">Queue a task</a> to <a href="http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event">fire a simple event</a> named <code><a href="#dom-needkey">needkey</a></code> at the <a href="#media-element">media element</a>.</dd>
+          <dt>Otherwise</dt>
+          <dd>Abort media element's <a href="http://www.w3.org/TR/html5/embedded-content-0.html#concept-media-load-resource">resource fetch algorithm</a> and run the steps to report a <code><a href="#dom-media_err_encrypted">MEDIA_ERR_ENCRYPTED</a></code> error.</dd>
+        </dl>
         <p>The event is of type <code><a href="#dom-mediakeyneededevent">MediaKeyNeededEvent</a></code> and has:</p>
         <ul style="list-style-type:none"><li>
           <code><a href="#dom-initdata">initData</a></code> = <var title="">initData</var>
@@ -848,7 +864,7 @@
           </dl>
           <p class="non-normative">Note: Not all decryption problems (i.e. using the wrong key) will result in a decryption failure. In such cases, no error is fired here but one may be fired during decode.</p>
         </dd>
-        <dt>If there is an event handler for <code><a href="#dom-needkey">needkey</a></code>
+        <dt>If there is an event handler for <code><a href="#dom-needkey">needkey</a></code> and the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a>
 </dt>
         <dd>
         <p>Take no action.</p>
--- a/encrypted-media/encrypted-media.xml	Sat Jun 01 12:58:28 2013 -0700
+++ b/encrypted-media/encrypted-media.xml	Tue Jun 04 08:01:41 2013 -0700
@@ -56,7 +56,7 @@
     <div class="head">
       <p><a href="http://www.w3.org/"><img src="https://www.w3.org/Icons/w3c_home" alt="W3C" width="72" height="48" /></a></p>
       <h1>Encrypted Media Extensions</h1>
-      <h2 id="draft-date">W3C Editor's Draft 28 May 2013</h2>
+      <h2 id="draft-date">W3C Editor's Draft 4 June 2013</h2>
       <dl>
         <dt>This Version:</dt>
         <dd><a href="http://dvcs.w3.org/hg/html-media/raw-file/default/encrypted-media/encrypted-media.html">http://dvcs.w3.org/hg/html-media/raw-file/default/encrypted-media/encrypted-media.html</a></dd>
@@ -252,6 +252,12 @@
     This data has a container-specific format and is assumed to contain one or more generic or Key System-specific sets of initialization information.
     </p>
 
+    <h4 id="cross-origin-support">1.2.5. Cross Origin Support</h4>
+    <p>During playback, embedded media data is exposed to script in the embedding origin. In order for the API to fire <coderef>needkey</coderef>
+    and <coderef>keymessage</coderef> events, <videoanchor name="media-data">media data</videoanchor> needs to be <cors-same-origin/> with the embedding page or
+    use the <videoanchor name="attr-img-crossorigin">crossorigin</videoanchor> attribute on the
+    media element and CORS headers on the media data response to authorize cross-origin information exposure.
+    </p>
 
     <h2 id="extensions">2. Media Element Extensions</h2>
     <p>We extend <dfn id="media-element" title="media element"><media-element/></dfn> to allow decryption key acquisition to be handled in JavaScript.</p>
@@ -367,7 +373,7 @@
           <li><p>Let <var title="true">defaultURL</var> be null.</p></li>
           <li><p>Use <var title="true">cdm</var> to generate a key request and follow the steps for the first matching condition from the following list:</p>
             <dl class="switch">
-              <dt>If a request is successfully generated</dt>
+              <dt>If a request is successfully generated and the <videoanchor name="media-data">media data</videoanchor> is <cors-same-origin/></dt>
               <dd>
               <ol>
                 <li><p>Let <var title="true">key request</var> be a key request generated by the <a href="#cdm">CDM</a> using <var title="true">initData</var>, if provided.</p>
@@ -472,6 +478,7 @@
           <li>If <var title="true">did store key</var> is true and the <a href="#media-element">media element</a> is <a href="#waiting-for-a-key">waiting for a key</a>, <queue-a-task/> to attempt to resume playback.
             <p class="non-normative">In other words, resume playback if the necessary key is provided.</p>
           </li>
+          <li><p>If <var title="true">next message</var> is not null and the <videoanchor name="media-data">media data</videoanchor> is not <cors-same-origin/>, jump to the <i>Error</i> step below and perform the task failed steps.</p></li>
           <li><p>If <var title="true">next message</var> is not null, <queue-a-task/> to <fire-a-simple-event/> named <coderef>keymessage</coderef> at the <coderef>MediaKeySession</coderef> object.</p>
              <p>The event is of type <coderef>MediaKeyMessageEvent</coderef> and has:</p>
              <ul style="list-style-type:none"><li>
@@ -480,7 +487,7 @@
              </li></ul>
           </li>
           <li><p>If <var title="true">did store key</var> is true, <queue-a-task/> to <fire-a-simple-event/> named <coderef>keyadded</coderef> at the <coderef>MediaKeySession</coderef> object.</p></li>
-          <li><p>If any of the preceding steps in the task failed</p>
+          <li><p><i>Error</i>: If any of the preceding steps in the task failed</p>
               <ol>
                 <li><p>Create a new <coderef>MediaKeyError</coderef> object with the following attributes:</p>
                   <ul style="list-style-type:none"><li>
@@ -555,7 +562,7 @@
           <li>The media element's <coderef>keys</coderef> attribute is null</li>
         </ol>
       </dd>
-      <p class="non-normative">Applications that support encrypted media should provide a <coderef>needkey</coderef> handle and/or call <methodref>setMediaKeys</methodref> no later than when <videoanchor name="media-data">media data</videoanchor> is provided.</p>
+      <p class="non-normative">Applications that support encrypted media should provide a <coderef>needkey</coderef> handler and/or call <methodref>setMediaKeys</methodref> no later than when <videoanchor name="media-data">media data</videoanchor> is provided.</p>
       <p class="non-normative">If the user agent does not support decryption of this <videoanchor name="media-data">media data</videoanchor>, it should report the same error it would for any other unsupported media data (e.g. <code>MEDIA_ERR_SRC_NOT_SUPPORTED</code>).</p>
     </dl>
 
@@ -752,7 +759,13 @@
           </li>
         </ol>
       </li>
-      <li><p><i>Need Key</i>: <queue-a-task/> to <fire-a-simple-event/> named <coderef>needkey</coderef> at the <a href="#media-element">media element</a>.</p>
+      <li><p><i>Need Key</i>:</p>
+        <dl class="switch">
+          <dt>If the <videoanchor name="media-data">media data</videoanchor> is <cors-same-origin/></dt>
+          <dd><Queue-a-task/> to <fire-a-simple-event/> named <coderef>needkey</coderef> at the <a href="#media-element">media element</a>.</dd>
+          <dt>Otherwise</dt>
+          <dd>Abort media element's <resource-fetch-algorithm/> and run the steps to report a <coderef>MEDIA_ERR_ENCRYPTED</coderef> error.</dd>
+        </dl>
         <p>The event is of type <coderef>MediaKeyNeededEvent</coderef> and has:</p>
         <ul style="list-style-type:none"><li>
           <coderef>initData</coderef> = <var title="">initData</var>
@@ -796,7 +809,7 @@
           </dl>
           <p class="non-normative">Note: Not all decryption problems (i.e. using the wrong key) will result in a decryption failure. In such cases, no error is fired here but one may be fired during decode.</p>
         </dd>
-        <dt>If there is an event handler for <coderef>needkey</coderef></dt>
+        <dt>If there is an event handler for <coderef>needkey</coderef> and the <videoanchor name="media-data">media data</videoanchor> is <cors-same-origin/></dt>
         <dd>
         <p>Take no action.</p>
         <p class="non-normative">The <a href="#media-element">media element</a> is said to be <videoref name="potentially-playing">potentially playing</videoref>
--- a/encrypted-media/spec-html.xsl	Sat Jun 01 12:58:28 2013 -0700
+++ b/encrypted-media/spec-html.xsl	Tue Jun 04 08:01:41 2013 -0700
@@ -116,6 +116,10 @@
     <a><xsl:attribute name="href">http://www.w3.org/TR/html5/webappapis.html#queue-a-task</xsl:attribute>queue a task</a>
   </xsl:template>
 
+  <xsl:template match="//Queue-a-task">
+    <a><xsl:attribute name="href">http://www.w3.org/TR/html5/webappapis.html#queue-a-task</xsl:attribute>Queue a task</a>
+  </xsl:template>
+
   <xsl:template match="//fire-a-simple-event">
     <a><xsl:attribute name="href">http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event</xsl:attribute>fire a simple event</a>
   </xsl:template>
@@ -136,6 +140,10 @@
     <a><xsl:attribute name="href">http://www.w3.org/TR/html5/infrastructure.html#ascii-compatible-character-encoding</xsl:attribute>ASCII-compatible character encoding</a>
   </xsl:template>
 
+  <xsl:template match="//cors-same-origin">
+    <a><xsl:attribute name="href">http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin</xsl:attribute>CORS-same-origin</a>
+  </xsl:template>
+
   <xsl:template match="//non-normative-section">
     <p><i>This section is non-normative.</i></p>
   </xsl:template>