Bug 26838: make clear that behaviour on unauthenticated origins is an open issue
authorMark Watson <watsonm@netflix.com>
Thu, 30 Oct 2014 19:48:29 -0700
changeset 489 0041644aeabd
parent 488 be9998cf708c
child 490 97e7a06cbc4d
Bug 26838: make clear that behaviour on unauthenticated origins is an open issue
encrypted-media/encrypted-media-respec.html
encrypted-media/encrypted-media.html
--- a/encrypted-media/encrypted-media-respec.html	Fri Oct 24 13:46:25 2014 -0700
+++ b/encrypted-media/encrypted-media-respec.html	Thu Oct 30 19:48:29 2014 -0700
@@ -329,8 +329,18 @@
             <ol class="method-algorithm">
               <li><p>If <var title="true">keySystem</var> is an empty string, return a promise rejected with <a def-id="new-domexception-named"></a> <a def-id="InvalidAccessError"></a>.</p></li>
               <li><p>If <var title="true">supportedConfigurations</var> was provided and is empty, return a promise rejected with <a def-id="new-domexception-named"></a> <a def-id="InvalidAccessError"></a>.</p></li>
-              <li><p>If the <a def-id="origin"></a> of the calling context's <a def-id="document-concept"></a> is not an <a def-id="authenticated-origin"></a> [[!MIXED-CONTENT]], return a promise rejected with <a def-id="new-domexception-named"></a> <a def-id="NotSupportedError"></a>.</p>
-                <p class="issue"><a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332">Bug 26332</a> - There are open questions whether a) there are alternative ways to normatively achieve the same security and privacy properties as this step and b) it is possible to reduce the impact of the resulting requirement that media data provided via MSE also be served from a secure origin.</p>
+              <li><p>If the <a def-id="origin"></a> of the calling context's <a def-id="document-concept"></a> is not an <a def-id="authenticated-origin"></a> [[!MIXED-CONTENT]]:
+                <ul style="list-style-type:none">
+                  <li>
+                    <p class="issue">
+                      <a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332">Bug 26332</a> - The availability of this API on unauthenticated origins is an open issue. It has been proposed
+                      that such access not be allowed at all or be allowed only in specific circumstances. It is likely that there will be scenarios where access from an unauthenticated origin
+                      is not allowed. It is also an open issue whether and how the impact of serving audio/video media over secure transport can be mitigated.
+                    </p>
+                  </li>
+                </ul>
+              </p>
+
               </li>
               <li><p>If <var title="true">keySystem</var> is not one of the <a def-id="keysystems"></a> supported by the user agent, return a promise rejected with <a def-id="new-domexception-named"></a> <a def-id="NotSupportedError"></a>. String comparison is case-sensitive.</p></li>
               <li><p>Let <var>promise</var> be a new promise.</p></li>
--- a/encrypted-media/encrypted-media.html	Fri Oct 24 13:46:25 2014 -0700
+++ b/encrypted-media/encrypted-media.html	Thu Oct 30 19:48:29 2014 -0700
@@ -445,7 +445,7 @@
   </p>
   <h1 class="title p-name" id="title" property="dcterms:title">Encrypted Media Extensions</h1>
   
-  <h2 property="dcterms:issued" datatype="xsd:dateTime" content="2014-10-24T20:44:33.000Z" id="w3c-editor-s-draft-24-october-2014"><abbr title="World Wide Web Consortium">W3C</abbr> Editor's Draft <time class="dt-published" datetime="2014-10-24">24 October 2014</time></h2>
+  <h2 property="dcterms:issued" datatype="xsd:dateTime" content="2014-10-31T00:45:30.000Z" id="w3c-editor-s-draft-30-october-2014"><abbr title="World Wide Web Consortium">W3C</abbr> Editor's Draft <time class="dt-published" datetime="2014-10-30">30 October 2014</time></h2>
   <dl>
     
       <dt>This version:</dt>
@@ -806,8 +806,18 @@
               </td></tr></tbody></table><div><em>Return type: </em><code>Promise&lt;<a href="#idl-def-MediaKeySystemAccess" class="idlType"><code>MediaKeySystemAccess</code></a>&gt;</code></div><p>When this method is invoked, the user agent must run the following steps:</p><ol class="method-algorithm">
               <li><p>If <var title="true">keySystem</var> is an empty string, return a promise rejected with a new <code><a href="http://heycam.github.io/webidl/#dfn-DOMException">DOMException</a></code> whose name is <code><a href="#dfn-InvalidAccessError">InvalidAccessError</a></code>.</p></li>
               <li><p>If <var title="true">supportedConfigurations</var> was provided and is empty, return a promise rejected with a new <code><a href="http://heycam.github.io/webidl/#dfn-DOMException">DOMException</a></code> whose name is <code><a href="#dfn-InvalidAccessError">InvalidAccessError</a></code>.</p></li>
-              <li><p>If the <a href="http://www.w3.org/TR/html5/browsers.html#origin-0">origin</a> of the calling context's <a href="http://dom.spec.whatwg.org/#concept-document">Document</a> is not an <a href="http://www.w3.org/TR/mixed-content/#authenticated-origin">authenticated origin</a> [<cite><a class="bibref" href="#bib-MIXED-CONTENT">MIXED-CONTENT</a></cite>], return a promise rejected with a new <code><a href="http://heycam.github.io/webidl/#dfn-DOMException">DOMException</a></code> whose name is <code><a href="#dfn-NotSupportedError">NotSupportedError</a></code>.</p>
-                <div class="issue"><div class="issue-title" aria-level="3" role="heading" id="h_issue_3"><span>Issue 3</span></div><p class=""><a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332">Bug 26332</a> - There are open questions whether a) there are alternative ways to normatively achieve the same security and privacy properties as this step and b) it is possible to reduce the impact of the resulting requirement that media data provided via MSE also be served from a secure origin.</p></div>
+              <li><p>If the <a href="http://www.w3.org/TR/html5/browsers.html#origin-0">origin</a> of the calling context's <a href="http://dom.spec.whatwg.org/#concept-document">Document</a> is not an <a href="http://www.w3.org/TR/mixed-content/#authenticated-origin">authenticated origin</a> [<cite><a class="bibref" href="#bib-MIXED-CONTENT">MIXED-CONTENT</a></cite>]:
+                </p><ul style="list-style-type:none">
+                  <li>
+                    <div class="issue"><div class="issue-title" aria-level="3" role="heading" id="h_issue_3"><span>Issue 3</span></div><p class="">
+                      <a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332">Bug 26332</a> - The availability of this API on unauthenticated origins is an open issue. It has been proposed
+                      that such access not be allowed at all or be allowed only in specific circumstances. It is likely that there will be scenarios where access from an unauthenticated origin
+                      is not allowed. It is also an open issue whether and how the impact of serving audio/video media over secure transport can be mitigated.
+                    </p></div>
+                  </li>
+                </ul>
+              <p></p>
+
               </li>
               <li><p>If <var title="true">keySystem</var> is not one of the <a href="#key-system">Key Systems</a> supported by the user agent, return a promise rejected with a new <code><a href="http://heycam.github.io/webidl/#dfn-DOMException">DOMException</a></code> whose name is <code><a href="#dfn-NotSupportedError">NotSupportedError</a></code>. String comparison is case-sensitive.</p></li>
               <li><p>Let <var>promise</var> be a new promise.</p></li>
@@ -2667,7 +2677,7 @@
 
 <form id="bug-assist-form" action="//www.w3.org/Bugs/Public/enter_bug.cgi" target="_blank">See a problem? Select text and <input type="submit" accesskey="f" value="file a bug" style="font-family: Tahoma, sans-serif; font-size: 10px;"><input type="hidden" name="comment" value=""><input type="hidden" name="product" value="HTML WG"><input type="hidden" name="component" value="Encrypted Media Extensions">.</form><section id="references" class="appendix" typeof="bibo:Chapter" resource="#references" rel="bibo:Chapter"><!--OddPage--><h2 role="heading" id="h2_references"><span class="secno">A. </span>References</h2><section id="normative-references" typeof="bibo:Chapter" resource="#normative-references" rel="bibo:Chapter"><h3 role="heading" id="h3_normative-references"><span class="secno">A.1 </span>Normative references</h3><dl class="bibliography" about=""><dt id="bib-DOM">[DOM]</dt><dd rel="dcterms:requires">Anne van Kesteren; Aryeh Gregor; Ms2ger; Alex Russell; Robin Berjon. <a href="http://www.w3.org/TR/dom/"><cite>W3C DOM4</cite></a>. 10 July 2014. W3C Last Call Working Draft. URL: <a href="http://www.w3.org/TR/dom/">http://www.w3.org/TR/dom/</a>
 </dd><dt id="bib-ENCODING">[ENCODING]</dt><dd rel="dcterms:requires">Anne van Kesteren; Joshua Bell; Addison Phillips. <a href="http://www.w3.org/TR/encoding/"><cite>Encoding</cite></a>. 16 September 2014. W3C Candidate Recommendation. URL: <a href="http://www.w3.org/TR/encoding/">http://www.w3.org/TR/encoding/</a>
-</dd><dt id="bib-HTML5">[HTML5]</dt><dd rel="dcterms:requires">Robin Berjon; Steve Faulkner; Travis Leithead; Erika Doyle Navara; Edward O'Connor; Silvia Pfeiffer. <a href="http://www.w3.org/TR/html5/"><cite>HTML5</cite></a>. 16 September 2014. W3C Proposed Recommendation. URL: <a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a>
+</dd><dt id="bib-HTML5">[HTML5]</dt><dd rel="dcterms:requires">Robin Berjon; Steve Faulkner; Travis Leithead; Erika Doyle Navara; Edward O'Connor; Silvia Pfeiffer. <a href="http://www.w3.org/TR/html5/"><cite>HTML5</cite></a>. 28 October 2014. W3C Recommendation. URL: <a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a>
 </dd><dt id="bib-JWK">[JWK]</dt><dd rel="dcterms:requires">Mike Jones. <a href="http://tools.ietf.org/html/draft-ietf-jose-json-web-key-11"><cite>JSON Web Key (JWK)</cite></a>. 28 May 2013. Internet Draft. URL: <a href="http://tools.ietf.org/html/draft-ietf-jose-json-web-key-11">http://tools.ietf.org/html/draft-ietf-jose-json-web-key-11</a>
 </dd><dt id="bib-MIXED-CONTENT">[MIXED-CONTENT]</dt><dd rel="dcterms:requires">Mike West. <a href="http://www.w3.org/TR/mixed-content/"><cite>Mixed Content</cite></a>. 16 September 2014. W3C Working Draft. URL: <a href="http://www.w3.org/TR/mixed-content/">http://www.w3.org/TR/mixed-content/</a>
 </dd><dt id="bib-WebIDL">[WebIDL]</dt><dd rel="dcterms:requires">Cameron McCormack. <a href="http://www.w3.org/TR/WebIDL/"><cite>Web IDL</cite></a>. 19 April 2012. W3C Candidate Recommendation. URL: <a href="http://www.w3.org/TR/WebIDL/">http://www.w3.org/TR/WebIDL/</a>