[EME] Address issues discussed in bug 27124.
authorDavid Dorwin <ddorwin@google.com>
Thu, 23 Oct 2014 12:09:03 -0700
changeset 486 42ac6086a28a
parent 485 8b2f1cee7e87
child 487 896eb33b68a2
[EME] Address issues discussed in bug 27124.
encrypted-media/encrypted-media-respec.html
encrypted-media/encrypted-media.html
--- a/encrypted-media/encrypted-media-respec.html	Wed Oct 22 16:31:12 2014 -0700
+++ b/encrypted-media/encrypted-media-respec.html	Thu Oct 23 12:09:03 2014 -0700
@@ -156,8 +156,12 @@
               The same applies to reinitialization, reprovisioning, or reindividualization.
             </p>
             <p>For implementations that support per-origin initialization, such messages MUST be passed to the application via the APIs.
+              Such messages MUST NOT contain non-origin-specific per-client information, such as unique client identifiers.
               As with all other uses of the APIs, responses passed to the CDM MUST NOT contain executable code.
             </p>
+            <p class="note">To preserve the privacy properties of per-origin initialization, applications and key system servers should not defer initialization to a non-origin-specific server.
+              See <a href="#privacy-individualization">Individualization</a>.
+            </p>
           </dd>
     
           <dt id="key-system">Key System</dt>
@@ -1033,7 +1037,7 @@
           <dt>readonly attribute MediaKeyMessageType messageType</dt>
           <dd>
             The type of the message.
-            <p>Applications MAY ignore this attribute and MUST NOT be required to handle message types.
+            <p>Implementations MUST NOT require applications to handle message types.
               Implementations MUST support applications that do not differentiate messages and MUST NOT require that applications handle message types.
               Specifically, Key Systems MUST support passing all types of messages to a single URL.
             </p>
@@ -1832,6 +1836,20 @@
         <p>Thus, in addition to the various mitigations described above, if a browser supports a mode of operation intended to preserve user anonymity, then User Agent implementers should carefully consider whether access to Key Systems should be disabled in this mode.
           For example, such modes MAY prohibit creation of <a>MediaKeySystemAccess</a> objects that are <a def-id="option-stateful"></a> or use a <a def-id="option-uniqueidentifier"></a> (either as part of the CDM implementation or because the application <a def-id="requirement-required"></a> them).
         </p>
+
+        <section id="privacy-individualization">
+          <h5>Individualization</h5>
+          <p>Identifiers are sometimes obtained via a process called individualization or provisioning.
+            In all cases, implementations should avoid sending per-origin information to centralized servers since this could create a central record of all origins visited by a user or device.
+          </p>
+          <p>Per-origin individualization (resulting in a per-origin identifier) can - with appropriate precautions - provide better privacy than other individualization models. 
+            To preserve the benefits of such a design and to avoid introducing other privacy concerns:
+          </p>
+          <ul>
+            <li><p>Such implementations should not use identifiers for a device or user of a device in the individualization process.</p></li>
+            <li><p>Such implementations and the applications that support them should also avoid deferring or forwarding the individualization process to a central server or other server not controlled by the application author.</p></li>
+          </ul>
+        </section>
       </section>
   
       <section id="privacy-storedinfo">
--- a/encrypted-media/encrypted-media.html	Wed Oct 22 16:31:12 2014 -0700
+++ b/encrypted-media/encrypted-media.html	Thu Oct 23 12:09:03 2014 -0700
@@ -445,7 +445,7 @@
   </p>
   <h1 class="title p-name" id="title" property="dcterms:title">Encrypted Media Extensions</h1>
   
-  <h2 property="dcterms:issued" datatype="xsd:dateTime" content="2014-10-22T23:29:47.000Z" id="w3c-editor-s-draft-22-october-2014"><abbr title="World Wide Web Consortium">W3C</abbr> Editor's Draft <time class="dt-published" datetime="2014-10-22">22 October 2014</time></h2>
+  <h2 property="dcterms:issued" datatype="xsd:dateTime" content="2014-10-23T19:08:38.000Z" id="w3c-editor-s-draft-23-october-2014"><abbr title="World Wide Web Consortium">W3C</abbr> Editor's Draft <time class="dt-published" datetime="2014-10-23">23 October 2014</time></h2>
   <dl>
     
       <dt>This version:</dt>
@@ -597,7 +597,7 @@
       
     
   
-</section><section id="toc"><h2 class="introductory" role="heading" id="h2_toc">Table of Contents</h2><ul class="toc" role="directory" id="respecContents"><li class="tocline"><a href="#introduction" class="tocxref"><span class="secno">1. </span>Introduction</a><ul class="toc"><li class="tocline"><a href="#definitions" class="tocxref"><span class="secno">1.1 </span>Definitions</a></li></ul></li><li class="tocline"><a href="#obtaining-access-to-key-systems" class="tocxref"><span class="secno">2. </span>Obtaining Access to Key Systems</a><ul class="toc"><li class="tocline"><a href="#requestmediakeysystemaccess" class="tocxref"><span class="secno">2.1 </span>requestMediaKeySystemAccess()</a><ul class="toc"><li class="tocline"><a href="#methods" class="tocxref"><span class="secno">2.1.1 </span>Methods</a></li></ul></li><li class="tocline"><a href="#mediakeysystemoptions-dictionary" class="tocxref"><span class="secno">2.2 </span><span class="formerLink"><code>MediaKeySystemOptions</code></span> dictionary</a><ul class="toc"><li class="tocline"><a href="#dictionary-mediakeysystemoptions-members" class="tocxref"><span class="secno">2.2.1 </span>Dictionary <span class="formerLink"><code>MediaKeySystemOptions</code></span> Members</a></li></ul></li></ul></li><li class="tocline"><a href="#mediakeysystemaccess-interface" class="tocxref"><span class="secno">3. </span><span class="formerLink"><code>MediaKeySystemAccess</code></span> Interface</a><ul class="toc"><li class="tocline"><a href="#attributes" class="tocxref"><span class="secno">3.1 </span>Attributes</a></li><li class="tocline"><a href="#methods-1" class="tocxref"><span class="secno">3.2 </span>Methods</a></li></ul></li><li class="tocline"><a href="#mediakeys-interface" class="tocxref"><span class="secno">4. </span><span class="formerLink"><code>MediaKeys</code></span> Interface</a><ul class="toc"><li class="tocline"><a href="#methods-2" class="tocxref"><span class="secno">4.1 </span>Methods</a></li></ul></li><li class="tocline"><a href="#mediakeysession-interface" class="tocxref"><span class="secno">5. </span><span class="formerLink"><code>MediaKeySession</code></span> Interface</a><ul class="toc"><li class="tocline"><a href="#attributes-1" class="tocxref"><span class="secno">5.1 </span>Attributes</a></li><li class="tocline"><a href="#methods-3" class="tocxref"><span class="secno">5.2 </span>Methods</a></li><li class="tocline"><a href="#mediakeymessageevent" class="tocxref"><span class="secno">5.3 </span><span class="formerLink"><code>MediaKeyMessageEvent</code></span></a><ul class="toc"><li class="tocline"><a href="#constructors" class="tocxref"><span class="secno">5.3.1 </span>Constructors</a></li><li class="tocline"><a href="#attributes-2" class="tocxref"><span class="secno">5.3.2 </span>Attributes</a></li><li class="tocline"><a href="#mediakeymessageeventinit" class="tocxref"><span class="secno">5.3.3 </span><span class="formerLink"><code>MediaKeyMessageEventInit</code></span></a><ul class="toc"><li class="tocline"><a href="#dictionary-mediakeymessageeventinit-members" class="tocxref"><span class="secno">5.3.3.1 </span>Dictionary <span class="formerLink"><code>MediaKeyMessageEventInit</code></span> Members</a></li></ul></li></ul></li><li class="tocline"><a href="#mediakeysession-events" class="tocxref"><span class="secno">5.4 </span>Event Summary</a></li><li class="tocline"><a href="#mediakeysession-algorithms" class="tocxref"><span class="secno">5.5 </span>Algorithms</a><ul class="toc"><li class="tocline"><a href="#algorithms-queue-message" class="tocxref"><span class="secno">5.5.1 </span>Queue a "message" Event</a></li><li class="tocline"><a href="#algorithms-keys-changed" class="tocxref"><span class="secno">5.5.2 </span>Usable Keys Changed</a></li><li class="tocline"><a href="#algorithms-update-expiration" class="tocxref"><span class="secno">5.5.3 </span>Update Expiration</a></li><li class="tocline"><a href="#algorithms-session-close" class="tocxref"><span class="secno">5.5.4 </span>Session Close</a></li></ul></li><li class="tocline"><a href="#exceptions" class="tocxref"><span class="secno">5.6 </span>Exceptions</a></li><li class="tocline"><a href="#session-storage" class="tocxref"><span class="secno">5.7 </span>Session Storage and Persistence</a></li></ul></li><li class="tocline"><a href="#htmlmediaelement-extensions" class="tocxref"><span class="secno">6. </span><span class="formerLink"><code>HTMLMediaElement</code></span> Extensions</a><ul class="toc"><li class="tocline"><a href="#attributes-3" class="tocxref"><span class="secno">6.1 </span>Attributes</a></li><li class="tocline"><a href="#methods-4" class="tocxref"><span class="secno">6.2 </span>Methods</a></li><li class="tocline"><a href="#mediaencryptedevent" class="tocxref"><span class="secno">6.3 </span><span class="formerLink"><code>MediaEncryptedEvent</code></span></a><ul class="toc"><li class="tocline"><a href="#constructors-1" class="tocxref"><span class="secno">6.3.1 </span>Constructors</a></li><li class="tocline"><a href="#attributes-4" class="tocxref"><span class="secno">6.3.2 </span>Attributes</a></li><li class="tocline"><a href="#mediaencryptedeventinit" class="tocxref"><span class="secno">6.3.3 </span><span class="formerLink"><code>MediaEncryptedEventInit</code></span></a><ul class="toc"><li class="tocline"><a href="#dictionary-mediaencryptedeventinit-members" class="tocxref"><span class="secno">6.3.3.1 </span>Dictionary <span class="formerLink"><code>MediaEncryptedEventInit</code></span> Members</a></li></ul></li></ul></li><li class="tocline"><a href="#htmlmediaelement-events" class="tocxref"><span class="secno">6.4 </span>Event Summary</a></li><li class="tocline"><a href="#htmlmediaelement-algorithms" class="tocxref"><span class="secno">6.5 </span>Algorithms</a><ul class="toc"><li class="tocline"><a href="#algorithms-initdata-encountered" class="tocxref"><span class="secno">6.5.1 </span>Initialization Data Encountered</a></li><li class="tocline"><a href="#algorithms-encrypted-block" class="tocxref"><span class="secno">6.5.2 </span>Encrypted Block Encountered</a></li><li class="tocline"><a href="#algorithms-queue-waiting" class="tocxref"><span class="secno">6.5.3 </span>Queue a "waiting" Event</a></li><li class="tocline"><a href="#algorithms-resume-playback" class="tocxref"><span class="secno">6.5.4 </span>Attempt to Resume Playback If Necessary</a></li><li class="tocline"><a href="#htmlmediaelement-playing-the-media-resource" class="tocxref"><span class="secno">6.5.5 </span>Playing the Media Resource Algorithm Modifications</a></li></ul></li><li class="tocline"><a href="#media-element-restictions" class="tocxref"><span class="secno">6.6 </span>Media Element Restrictions</a></li></ul></li><li class="tocline"><a href="#common-key-systems" class="tocxref"><span class="secno">7. </span>Common Key Systems</a><ul class="toc"><li class="tocline"><a href="#clear-key" class="tocxref"><span class="secno">7.1 </span>Clear Key</a><ul class="toc"><li class="tocline"><a href="#clear-key-capabilities" class="tocxref"><span class="secno">7.1.1 </span>Capabilities</a></li><li class="tocline"><a href="#clear-key-behavior" class="tocxref"><span class="secno">7.1.2 </span>Behavior</a></li><li class="tocline"><a href="#clear-key-request-format" class="tocxref"><span class="secno">7.1.3 </span>License Request Format</a><ul class="toc"><li class="tocline"><a href="#clear-key-request-format-example" class="tocxref"><span class="secno">7.1.3.1 </span>Example</a></li></ul></li><li class="tocline"><a href="#clear-key-license-format" class="tocxref"><span class="secno">7.1.4 </span>License Format</a><ul class="toc"><li class="tocline"><a href="#clear-key-license-format-example" class="tocxref"><span class="secno">7.1.4.1 </span>Example</a></li></ul></li><li class="tocline"><a href="#using-base64url" class="tocxref"><span class="secno">7.1.5 </span>Using base64url</a></li></ul></li></ul></li><li class="tocline"><a href="#security" class="tocxref"><span class="secno">8. </span>Security Considerations</a></li><li class="tocline"><a href="#privacy" class="tocxref"><span class="secno">9. </span>Privacy Considerations</a><ul class="toc"><li class="tocline"><a href="#privacy-disclosure" class="tocxref"><span class="secno">9.1 </span>Information Disclosed by EME and Key Systems</a></li><li class="tocline"><a href="#privacy-fingerprinting" class="tocxref"><span class="secno">9.2 </span>Fingerprinting</a></li><li class="tocline"><a href="#privacy-leakage" class="tocxref"><span class="secno">9.3 </span>Information Leakage</a></li><li class="tocline"><a href="#privacy-tracking" class="tocxref"><span class="secno">9.4 </span>Tracking</a></li><li class="tocline"><a href="#privacy-storedinfo" class="tocxref"><span class="secno">9.5 </span>Information Stored on User Devices</a></li><li class="tocline"><a href="#privacy-secureorigin" class="tocxref"><span class="secno">9.6 </span>Use Secure Origin and Transport</a></li></ul></li><li class="tocline"><a href="#examples" class="tocxref"><span class="secno">10. </span>Examples</a><ul class="toc"><li class="tocline"><a href="#example-source-and-key-known" class="tocxref"><span class="secno">10.1 </span>Source and Key Known at Page Load (Clear Key)</a></li><li class="tocline"><a href="#example-selecting-key-system" class="tocxref"><span class="secno">10.2 </span>Selecting a Supported Key System and Using Initialization Data from the "encrypted" Event</a></li><li class="tocline"><a href="#example-mediakeys-before-source" class="tocxref"><span class="secno">10.3 </span>Create MediaKeys Before Loading Media</a></li><li class="tocline"><a href="#example-using-all-events" class="tocxref"><span class="secno">10.4 </span>Using All Events</a></li><li class="tocline"><a href="#example-stored-license" class="tocxref"><span class="secno">10.5 </span>Stored License</a></li></ul></li><li class="tocline"><a href="#revision-history" class="tocxref"><span class="secno">11. </span>Revision History</a></li><li class="tocline"><a href="#references" class="tocxref"><span class="secno">A. </span>References</a><ul class="toc"><li class="tocline"><a href="#normative-references" class="tocxref"><span class="secno">A.1 </span>Normative references</a></li><li class="tocline"><a href="#informative-references" class="tocxref"><span class="secno">A.2 </span>Informative references</a></li></ul></li></ul></section>
+</section><section id="toc"><h2 class="introductory" role="heading" id="h2_toc">Table of Contents</h2><ul class="toc" role="directory" id="respecContents"><li class="tocline"><a href="#introduction" class="tocxref"><span class="secno">1. </span>Introduction</a><ul class="toc"><li class="tocline"><a href="#definitions" class="tocxref"><span class="secno">1.1 </span>Definitions</a></li></ul></li><li class="tocline"><a href="#obtaining-access-to-key-systems" class="tocxref"><span class="secno">2. </span>Obtaining Access to Key Systems</a><ul class="toc"><li class="tocline"><a href="#requestmediakeysystemaccess" class="tocxref"><span class="secno">2.1 </span>requestMediaKeySystemAccess()</a><ul class="toc"><li class="tocline"><a href="#methods" class="tocxref"><span class="secno">2.1.1 </span>Methods</a></li></ul></li><li class="tocline"><a href="#mediakeysystemoptions-dictionary" class="tocxref"><span class="secno">2.2 </span><span class="formerLink"><code>MediaKeySystemOptions</code></span> dictionary</a><ul class="toc"><li class="tocline"><a href="#dictionary-mediakeysystemoptions-members" class="tocxref"><span class="secno">2.2.1 </span>Dictionary <span class="formerLink"><code>MediaKeySystemOptions</code></span> Members</a></li></ul></li></ul></li><li class="tocline"><a href="#mediakeysystemaccess-interface" class="tocxref"><span class="secno">3. </span><span class="formerLink"><code>MediaKeySystemAccess</code></span> Interface</a><ul class="toc"><li class="tocline"><a href="#attributes" class="tocxref"><span class="secno">3.1 </span>Attributes</a></li><li class="tocline"><a href="#methods-1" class="tocxref"><span class="secno">3.2 </span>Methods</a></li></ul></li><li class="tocline"><a href="#mediakeys-interface" class="tocxref"><span class="secno">4. </span><span class="formerLink"><code>MediaKeys</code></span> Interface</a><ul class="toc"><li class="tocline"><a href="#methods-2" class="tocxref"><span class="secno">4.1 </span>Methods</a></li></ul></li><li class="tocline"><a href="#mediakeysession-interface" class="tocxref"><span class="secno">5. </span><span class="formerLink"><code>MediaKeySession</code></span> Interface</a><ul class="toc"><li class="tocline"><a href="#attributes-1" class="tocxref"><span class="secno">5.1 </span>Attributes</a></li><li class="tocline"><a href="#methods-3" class="tocxref"><span class="secno">5.2 </span>Methods</a></li><li class="tocline"><a href="#mediakeymessageevent" class="tocxref"><span class="secno">5.3 </span><span class="formerLink"><code>MediaKeyMessageEvent</code></span></a><ul class="toc"><li class="tocline"><a href="#constructors" class="tocxref"><span class="secno">5.3.1 </span>Constructors</a></li><li class="tocline"><a href="#attributes-2" class="tocxref"><span class="secno">5.3.2 </span>Attributes</a></li><li class="tocline"><a href="#mediakeymessageeventinit" class="tocxref"><span class="secno">5.3.3 </span><span class="formerLink"><code>MediaKeyMessageEventInit</code></span></a><ul class="toc"><li class="tocline"><a href="#dictionary-mediakeymessageeventinit-members" class="tocxref"><span class="secno">5.3.3.1 </span>Dictionary <span class="formerLink"><code>MediaKeyMessageEventInit</code></span> Members</a></li></ul></li></ul></li><li class="tocline"><a href="#mediakeysession-events" class="tocxref"><span class="secno">5.4 </span>Event Summary</a></li><li class="tocline"><a href="#mediakeysession-algorithms" class="tocxref"><span class="secno">5.5 </span>Algorithms</a><ul class="toc"><li class="tocline"><a href="#algorithms-queue-message" class="tocxref"><span class="secno">5.5.1 </span>Queue a "message" Event</a></li><li class="tocline"><a href="#algorithms-keys-changed" class="tocxref"><span class="secno">5.5.2 </span>Usable Keys Changed</a></li><li class="tocline"><a href="#algorithms-update-expiration" class="tocxref"><span class="secno">5.5.3 </span>Update Expiration</a></li><li class="tocline"><a href="#algorithms-session-close" class="tocxref"><span class="secno">5.5.4 </span>Session Close</a></li></ul></li><li class="tocline"><a href="#exceptions" class="tocxref"><span class="secno">5.6 </span>Exceptions</a></li><li class="tocline"><a href="#session-storage" class="tocxref"><span class="secno">5.7 </span>Session Storage and Persistence</a></li></ul></li><li class="tocline"><a href="#htmlmediaelement-extensions" class="tocxref"><span class="secno">6. </span><span class="formerLink"><code>HTMLMediaElement</code></span> Extensions</a><ul class="toc"><li class="tocline"><a href="#attributes-3" class="tocxref"><span class="secno">6.1 </span>Attributes</a></li><li class="tocline"><a href="#methods-4" class="tocxref"><span class="secno">6.2 </span>Methods</a></li><li class="tocline"><a href="#mediaencryptedevent" class="tocxref"><span class="secno">6.3 </span><span class="formerLink"><code>MediaEncryptedEvent</code></span></a><ul class="toc"><li class="tocline"><a href="#constructors-1" class="tocxref"><span class="secno">6.3.1 </span>Constructors</a></li><li class="tocline"><a href="#attributes-4" class="tocxref"><span class="secno">6.3.2 </span>Attributes</a></li><li class="tocline"><a href="#mediaencryptedeventinit" class="tocxref"><span class="secno">6.3.3 </span><span class="formerLink"><code>MediaEncryptedEventInit</code></span></a><ul class="toc"><li class="tocline"><a href="#dictionary-mediaencryptedeventinit-members" class="tocxref"><span class="secno">6.3.3.1 </span>Dictionary <span class="formerLink"><code>MediaEncryptedEventInit</code></span> Members</a></li></ul></li></ul></li><li class="tocline"><a href="#htmlmediaelement-events" class="tocxref"><span class="secno">6.4 </span>Event Summary</a></li><li class="tocline"><a href="#htmlmediaelement-algorithms" class="tocxref"><span class="secno">6.5 </span>Algorithms</a><ul class="toc"><li class="tocline"><a href="#algorithms-initdata-encountered" class="tocxref"><span class="secno">6.5.1 </span>Initialization Data Encountered</a></li><li class="tocline"><a href="#algorithms-encrypted-block" class="tocxref"><span class="secno">6.5.2 </span>Encrypted Block Encountered</a></li><li class="tocline"><a href="#algorithms-queue-waiting" class="tocxref"><span class="secno">6.5.3 </span>Queue a "waiting" Event</a></li><li class="tocline"><a href="#algorithms-resume-playback" class="tocxref"><span class="secno">6.5.4 </span>Attempt to Resume Playback If Necessary</a></li><li class="tocline"><a href="#htmlmediaelement-playing-the-media-resource" class="tocxref"><span class="secno">6.5.5 </span>Playing the Media Resource Algorithm Modifications</a></li></ul></li><li class="tocline"><a href="#media-element-restictions" class="tocxref"><span class="secno">6.6 </span>Media Element Restrictions</a></li></ul></li><li class="tocline"><a href="#common-key-systems" class="tocxref"><span class="secno">7. </span>Common Key Systems</a><ul class="toc"><li class="tocline"><a href="#clear-key" class="tocxref"><span class="secno">7.1 </span>Clear Key</a><ul class="toc"><li class="tocline"><a href="#clear-key-capabilities" class="tocxref"><span class="secno">7.1.1 </span>Capabilities</a></li><li class="tocline"><a href="#clear-key-behavior" class="tocxref"><span class="secno">7.1.2 </span>Behavior</a></li><li class="tocline"><a href="#clear-key-request-format" class="tocxref"><span class="secno">7.1.3 </span>License Request Format</a><ul class="toc"><li class="tocline"><a href="#clear-key-request-format-example" class="tocxref"><span class="secno">7.1.3.1 </span>Example</a></li></ul></li><li class="tocline"><a href="#clear-key-license-format" class="tocxref"><span class="secno">7.1.4 </span>License Format</a><ul class="toc"><li class="tocline"><a href="#clear-key-license-format-example" class="tocxref"><span class="secno">7.1.4.1 </span>Example</a></li></ul></li><li class="tocline"><a href="#using-base64url" class="tocxref"><span class="secno">7.1.5 </span>Using base64url</a></li></ul></li></ul></li><li class="tocline"><a href="#security" class="tocxref"><span class="secno">8. </span>Security Considerations</a></li><li class="tocline"><a href="#privacy" class="tocxref"><span class="secno">9. </span>Privacy Considerations</a><ul class="toc"><li class="tocline"><a href="#privacy-disclosure" class="tocxref"><span class="secno">9.1 </span>Information Disclosed by EME and Key Systems</a></li><li class="tocline"><a href="#privacy-fingerprinting" class="tocxref"><span class="secno">9.2 </span>Fingerprinting</a></li><li class="tocline"><a href="#privacy-leakage" class="tocxref"><span class="secno">9.3 </span>Information Leakage</a></li><li class="tocline"><a href="#privacy-tracking" class="tocxref"><span class="secno">9.4 </span>Tracking</a><ul class="toc"><li class="tocline"><a href="#privacy-individualization" class="tocxref"><span class="secno">9.4.1 </span>Individualization</a></li></ul></li><li class="tocline"><a href="#privacy-storedinfo" class="tocxref"><span class="secno">9.5 </span>Information Stored on User Devices</a></li><li class="tocline"><a href="#privacy-secureorigin" class="tocxref"><span class="secno">9.6 </span>Use Secure Origin and Transport</a></li></ul></li><li class="tocline"><a href="#examples" class="tocxref"><span class="secno">10. </span>Examples</a><ul class="toc"><li class="tocline"><a href="#example-source-and-key-known" class="tocxref"><span class="secno">10.1 </span>Source and Key Known at Page Load (Clear Key)</a></li><li class="tocline"><a href="#example-selecting-key-system" class="tocxref"><span class="secno">10.2 </span>Selecting a Supported Key System and Using Initialization Data from the "encrypted" Event</a></li><li class="tocline"><a href="#example-mediakeys-before-source" class="tocxref"><span class="secno">10.3 </span>Create MediaKeys Before Loading Media</a></li><li class="tocline"><a href="#example-using-all-events" class="tocxref"><span class="secno">10.4 </span>Using All Events</a></li><li class="tocline"><a href="#example-stored-license" class="tocxref"><span class="secno">10.5 </span>Stored License</a></li></ul></li><li class="tocline"><a href="#revision-history" class="tocxref"><span class="secno">11. </span>Revision History</a></li><li class="tocline"><a href="#references" class="tocxref"><span class="secno">A. </span>References</a><ul class="toc"><li class="tocline"><a href="#normative-references" class="tocxref"><span class="secno">A.1 </span>Normative references</a></li><li class="tocline"><a href="#informative-references" class="tocxref"><span class="secno">A.2 </span>Informative references</a></li></ul></li></ul></section>
  
  
     
@@ -637,8 +637,12 @@
               The same applies to reinitialization, reprovisioning, or reindividualization.
             </p></div>
             <p>For implementations that support per-origin initialization, such messages <em class="rfc2119" title="MUST">MUST</em> be passed to the application via the APIs.
+              Such messages <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain non-origin-specific per-client information, such as unique client identifiers.
               As with all other uses of the APIs, responses passed to the CDM <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain executable code.
             </p>
+            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_3"><span>Note</span></div><p class="">To preserve the privacy properties of per-origin initialization, applications and key system servers should not defer initialization to a non-origin-specific server.
+              See <a href="#privacy-individualization">Individualization</a>.
+            </p></div>
           </dd>
     
           <dt id="key-system">Key System</dt>
@@ -652,9 +656,9 @@
         
             <p>A Key System string is always a reverse domain name.
             Key System strings are compared using case-sensitive matching. It is <em class="rfc2119" title="RECOMMENDED">RECOMMENDED</em> that CDMs use simple lower-case ASCII key system strings.</p>
-            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_3"><span>Note</span></div><p class="">For example, "com.example.somesystem".</p></div>
+            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_4"><span>Note</span></div><p class="">For example, "com.example.somesystem".</p></div>
         
-            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_4"><span>Note</span></div><p class="">
+            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_5"><span>Note</span></div><p class="">
             Within a given system ("somesystem" in the example), subsystems may be defined as determined by the key system provider.
             For example, "com.example.somesystem.1" and "com.example.somesystem.1_5".
             Key System providers should keep in mind that these will be used for comparison and discovery, so they should be easy to compare and the structure should remain reasonably simple.
@@ -683,7 +687,7 @@
               Session IDs for <code><a href="#idl-def-SessionType.persistent">"persistent"</a></code> sessions <em class="rfc2119" title="MUST">MUST</em> be unique within the <a href="http://www.w3.org/TR/html5/browsers.html#origin-0">origin</a> over time, including across browsing sessions.
             </p>
         
-            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_5"><span>Note</span></div><p class="">The underlying content protection protocol does not necessarily need to support Session IDs.</p></div>
+            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_6"><span>Note</span></div><p class="">The underlying content protection protocol does not necessarily need to support Session IDs.</p></div>
           </dd>
     
           <dt id="decryption-key">Key</dt>
@@ -695,7 +699,7 @@
             </p>
             
             <p>A key is considered <em>usable</em> if the CDM is certain the key is currently usable for decryption.</p>
-            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_6"><span>Note</span></div><p class="">For example, a key is not usable if its license has expired.</p></div>
+            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_7"><span>Note</span></div><p class="">For example, a key is not usable if its license has expired.</p></div>
           </dd>
     
           <dt id="decryption-key-id">Key ID</dt>
@@ -715,7 +719,7 @@
     
           <dt id="initialization-data">Initialization Data</dt>
           <dd>
-            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_7"><span>Note</span></div><p class="">
+            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_8"><span>Note</span></div><p class="">
             <a href="#key-system">Key Systems</a> usually require a block of initialization data containing information about the stream to be decrypted before they can construct a license request message.
             This block could be a simple key or content ID or a more complex structure containing such information.
             It should always allow unique identification of the key(s) needed to decrypt the content.
@@ -747,7 +751,7 @@
             <p>Initialization Data <em class="rfc2119" title="SHOULD NOT">SHOULD NOT</em> contain Key System-specific data or values.
               Implementations <em class="rfc2119" title="MUST">MUST</em> support the common formats defined [<cite><a class="bibref" href="#bib-EME-REGISTRY">EME-REGISTRY</a></cite>] for each <a href="#initialization-data-type">Initialization Data Type</a> they support.
             </p>
-            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_8"><span>Note</span></div><p class="">
+            <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_9"><span>Note</span></div><p class="">
               Use of proprietary formats/contents is discouraged, and supporting or using <em>only</em> proprietary formats is strongly discouraged.
               Proprietary formats should only be used with pre-existing content or on pre-existing devices that do not support the common formats.
             </p></div>            
@@ -831,7 +835,7 @@
                         <ol>
                           <li><p>If the member’s value cannot be satisfied together in combination with the previous members, continue to the next iteration of the loop.</p></li>
                         </ol>
-                        <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_9"><span>Note</span></div><p class="">Unrecognized dictionary members are ignored per [<cite><a class="bibref" href="#bib-WebIDL">WebIDL</a></cite>], and will never reach this algorithm. Thus, they cannot be considered as part of the combination.</p></div>
+                        <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_10"><span>Note</span></div><p class="">Unrecognized dictionary members are ignored per [<cite><a class="bibref" href="#bib-WebIDL">WebIDL</a></cite>], and will never reach this algorithm. Thus, they cannot be considered as part of the combination.</p></div>
                         </li><li>
                           <p>If <var title="true">keySystem</var> is supported and allowed in the <a href="http://www.w3.org/TR/html5/browsers.html#origin-0">origin</a> of the calling context's <a href="http://dom.spec.whatwg.org/#concept-document">Document</a> in the configuration specified by the combination of the values in <var>combination</var>, execute the following steps:</p>
                           <ol>
@@ -849,7 +853,7 @@
                     </ol>
                   </li>
                   <li><p>Reject <var>promise</var> with a new <code><a href="http://heycam.github.io/webidl/#dfn-DOMException">DOMException</a></code> whose name is <code><a href="#dfn-NotSupportedError">NotSupportedError</a></code>.</p> 
-                    <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_10"><span>Note</span></div><p class="">There were no supported combinations in <code>supportedConfigurations</code>.</p></div>
+                    <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_11"><span>Note</span></div><p class="">There were no supported combinations in <code>supportedConfigurations</code>.</p></div>
                   </li>
                 </ol>
               </li>
@@ -889,7 +893,7 @@
           </dd><dt id="widl-MediaKeySystemOptions-stateful"><code>stateful</code> of type <span class="idlMemberType"><a href="#idl-def-MediaKeysRequirement" class="idlType"><code>MediaKeysRequirement</code></a></span>, defaulting to <code>"optional"</code></dt><dd>
             Whether the ability to persist state is required. This includes session data and any other type of state.<br>
             Only <code><a href="#idl-def-SessionType.temporary">"temporary"</a></code> sessions may be created when statefulness is not supported.
-            <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_11"><span>Note</span></div><p class="">
+            <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_12"><span>Note</span></div><p class="">
               Except for <code><a href="#idl-def-SessionType.persistent">"persistent"</a></code> sessions, the need and ability to store state is Key System implementation-specific and may vary by feature used.</p></div>
           </dd><dt id="widl-MediaKeySystemOptions-uniqueidentifier"><code>uniqueidentifier</code> of type <span class="idlMemberType"><a href="#idl-def-MediaKeysRequirement" class="idlType"><code>MediaKeysRequirement</code></a></span>, defaulting to <code>"optional"</code></dt><dd>
             Whether a unique identifier is required.
@@ -1006,7 +1010,7 @@
           </ol></dd><dt id="widl-MediaKeys-setServerCertificate-Promise-void--BufferSource-serverCertificate"><code>setServerCertificate</code></dt><dd>
           <p id="server-certificate">Provides a server certificate to be used to encrypt messages to the license server.</p>
           <p>Key Systems that use such certificates <em class="rfc2119" title="MUST">MUST</em> also support requesting the certificate from the server via the <a href="#algorithms-queue-message">queue a "message" event algorithm</a>.</p>
-          <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_12"><span>Note</span></div><p class="">This method allows an application to proactively provide a server certificate to implementations that support it to avod the additional round trip should the CDM request it.
+          <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_13"><span>Note</span></div><p class="">This method allows an application to proactively provide a server certificate to implementations that support it to avod the additional round trip should the CDM request it.
             It is intended as an optimization, and applications are not required to use it.
           </p></div>
 
@@ -1062,7 +1066,7 @@
           <p>The <a href="#session-id">Session ID</a> for this object and the associated key(s) or license(s).</p>
         </dd></dl></section><section id="methods-3"><h3 role="heading" id="h3_methods-3"><span class="secno">5.2 </span>Methods</h3><dl class="methods"><dt id="widl-MediaKeySession-close-Promise-void"><code>close</code></dt><dd>
           <p>Indicates that the application no longer needs the session and the CDM should release any resources associated with this object and close it.</p>
-          <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_13"><span>Note</span></div><p class="">The returned promise is resolved when the request has been processed, and the <code><a href="#widl-MediaKeySession-closed">closed</a></code> attribute promise is resolved when the session is closed.</p></div>
+          <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_14"><span>Note</span></div><p class="">The returned promise is resolved when the request has been processed, and the <code><a href="#widl-MediaKeySession-closed">closed</a></code> attribute promise is resolved when the session is closed.</p></div>
 
           
         <div><em>No parameters.</em></div><div><em>Return type: </em><code>Promise&lt;void&gt;</code></div><p>When this method is invoked, the user agent must run the following steps:</p><ol class="method-algorithm">
@@ -1126,21 +1130,21 @@
                       <dl class="switch">
                         <dt>If <var title="true">session type</var> is <code><a href="#idl-def-SessionType.temporary">"temporary"</a></code></dt>
                         <dd>Let <var title="true">requested session type</var> be a temporary non-persisted session.<p></p>
-                          <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_14"><span>Note</span></div><p class="">The returned license must not be persistable.</p></div>
+                          <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_15"><span>Note</span></div><p class="">The returned license must not be persistable.</p></div>
                         </dd>
                         <dt>If <var title="true">session type</var> is <code><a href="#idl-def-SessionType.persistent">"persistent"</a></code></dt>
                         <dd>Let <var title="true">requested session type</var> be a persistable session.<p>
-                          </p><div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_15"><span>Note</span></div><p class="">The returned license may be persistable.</p></div>
+                          </p><div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_16"><span>Note</span></div><p class="">The returned license may be persistable.</p></div>
                         </dd>
                       </dl>
-                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_16"><span>Note</span></div><p class="">The license server determines the type of license that is returned, either persistent or non-persistent. A persistent license cannot be added to a non-persistable session.</p></div>
+                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_17"><span>Note</span></div><p class="">The license server determines the type of license that is returned, either persistent or non-persistent. A persistent license cannot be added to a non-persistable session.</p></div>
                     </li>
       
                     <li><p>Let <var title="true">session id</var> be a unique <a href="#session-id">Session ID</a> string.</p>
                       <p>If <var title="true">session type</var> is <code><a href="#idl-def-SessionType.persistent">"persistent"</a></code>, the ID <em class="rfc2119" title="MUST">MUST</em> be unique within the the <a href="http://www.w3.org/TR/html5/browsers.html#origin-0">origin</a> of this object's <a href="http://dom.spec.whatwg.org/#concept-document">Document</a> over time, including across Documents and browsing sessions.</p>
                     </li>
                     <li><p>Let <var title="true">message</var> be a request for the <var title="true">requested session type</var> generated based on the <var>init data</var>, which is interpreted per <var title="true">initDataType</var>.</p>
-                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_17"><span>Note</span></div><p class="">For example, a license request.</p></div>
+                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_18"><span>Note</span></div><p class="">For example, a license request.</p></div>
                       <p>The <var title="true">cdm</var> <em class="rfc2119" title="MUST NOT">MUST NOT</em> use any stream-specific data, including <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a>, not provided via the <var>init data</var>.</p>
                       <p>The <var title="true">cdm</var> <em class="rfc2119" title="SHOULD NOT">SHOULD NOT</em> store session data, including the session ID, at this point. See <a href="#session-storage">Session Storage and Persistence</a>.</p>
                     </li>
@@ -1197,7 +1201,7 @@
             <li><p>Run the following steps asynchronously:</p>
               <ol>
                 <li><p>Let <var>sanitized session ID</var> be a validated and/or sanitized version of <var title="true">sessionId</var>.</p>
-                  <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_18"><span>Note</span></div><p class="">The user agent should thoroughly validate the sessionId value before passing it to the CDM.
+                  <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_19"><span>Note</span></div><p class="">The user agent should thoroughly validate the sessionId value before passing it to the CDM.
                     At a minimum, this should include checking that the length and value (e.g. alphanumeric) are reasonable.
                   </p></div>
                 </li>
@@ -1213,7 +1217,7 @@
                     <li><p>Let <var title="true">session data</var> be the data stored for the <var>sanitized session ID</var> in the <var title="true">origin</var>.
                     This <em class="rfc2119" title="MUST NOT">MUST NOT</em> include data from other origin(s) or that is not associated with an origin.</p></li>
                     <li><p>If there is an unclosed <code><a href="#idl-def-SessionType.persistent">"persistent"</a></code> session in any <a href="http://dom.spec.whatwg.org/#concept-document">Document</a> representing the <var title="true">session data</var>, reject <var>promise</var> with a new <code><a href="http://heycam.github.io/webidl/#dfn-DOMException">DOMException</a></code> whose name is <code><a href="#dfn-QuotaExceededError">QuotaExceededError</a></code>.</p>
-                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_19"><span>Note</span></div><p class="">In other words, do not create a session if a non-closed persistent session already exists for this <var>sanitized session ID</var> in any browsing context.</p></div>
+                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_20"><span>Note</span></div><p class="">In other words, do not create a session if a non-closed persistent session already exists for this <var>sanitized session ID</var> in any browsing context.</p></div>
                     </li>
                     <li><p>Load the <var title="true">session data</var>.</p></li>
                     <li><p>If the <var title="true">session data</var> indicates an expiration time for the session, let <var title="true">expiration time</var> be the expiration time in milliseconds since 01 January 1970 UTC.</p></li>
@@ -1255,7 +1259,7 @@
                       <p>Process the remove request.</p>
                       <p>This <em class="rfc2119" title="MAY">MAY</em> involve exchanging message(s) with the application.</p>
                       <p>Unless this step fails, the CDM <em class="rfc2119" title="MUST">MUST</em> have cleared all stored session data associated with this object, including the <code><a href="#widl-MediaKeySession-sessionId">sessionId</a></code>, before proceeding to the next step.</p>
-                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_20"><span>Note</span></div><p class="">A subsequent call to <code><a href="#widl-MediaKeySession-load-Promise-boolean--DOMString-sessionId">load()</a></code> with the value <code><a href="#widl-MediaKeySession-sessionId">sessionId</a></code> would fail because there is no data stored for that session ID.</p></div>
+                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_21"><span>Note</span></div><p class="">A subsequent call to <code><a href="#widl-MediaKeySession-load-Promise-boolean--DOMString-sessionId">load()</a></code> with the value <code><a href="#widl-MediaKeySession-sessionId">sessionId</a></code> would fail because there is no data stored for that session ID.</p></div>
                     </li>
                   </ol>
                 </li>
@@ -1287,7 +1291,7 @@
             <li><p>Run the following steps asynchronously:</p>
               <ol>
                 <li><p>Let <var>sanitized response</var> be a validated and/or sanitized version of <var>response copy</var>.</p>
-                  <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_21"><span>Note</span></div><p class="">The user agent should thoroughly validate the response before passing it to the CDM.
+                  <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_22"><span>Note</span></div><p class="">The user agent should thoroughly validate the response before passing it to the CDM.
                     This may include verifying values are within reasonable limits, stripping irrelevant data or fields, pre-parsing it, sanitizing it, and/or generating a fully sanitized version.
                     The user agent should check that the length and values of fields are reasonable.
                     Unknown fields should be rejected or removed.
@@ -1312,10 +1316,10 @@
                         <dd>Reject <var>promise</var> with a new <code><a href="http://heycam.github.io/webidl/#dfn-DOMException">DOMException</a></code> whose name is <code><a href="#dfn-InvalidAccessError">InvalidAccessError</a></code>.</dd>
                       </dl>
                       <p>See also <a href="#session-storage">Session Storage and Persistence</a>.</p>
-                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_22"><span>Note</span></div><p class="">When <var>sanitized response</var> contains key(s) and/or related data, <var title="true">cdm</var> will likely cache the key and related data indexed by key ID.</p></div>
-                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_23"><span>Note</span></div><p class="">The replacement algorithm within a session is <a href="#key-system">Key System</a>-dependent.</p></div>
+                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_23"><span>Note</span></div><p class="">When <var>sanitized response</var> contains key(s) and/or related data, <var title="true">cdm</var> will likely cache the key and related data indexed by key ID.</p></div>
+                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_24"><span>Note</span></div><p class="">The replacement algorithm within a session is <a href="#key-system">Key System</a>-dependent.</p></div>
                       <p>Keys from different sessions <em class="rfc2119" title="SHOULD">SHOULD</em> be cached independently such that closing one session does not affect keys in other sessions, even if they have overlapping key IDs.</p>
-                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_24"><span>Note</span></div><p class="">It is <em class="rfc2119" title="RECOMMENDED">RECOMMENDED</em> that CDM implementations support a standard and reasonably high minimum number of keys per <code><a href="#idl-def-MediaKeySession">MediaKeySession</a></code> object, including a standard replacement algorithm, and a standard and reasonably high minimum number of <code><a href="#idl-def-MediaKeySession">MediaKeySession</a></code> objects.
+                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_25"><span>Note</span></div><p class="">It is <em class="rfc2119" title="RECOMMENDED">RECOMMENDED</em> that CDM implementations support a standard and reasonably high minimum number of keys per <code><a href="#idl-def-MediaKeySession">MediaKeySession</a></code> object, including a standard replacement algorithm, and a standard and reasonably high minimum number of <code><a href="#idl-def-MediaKeySession">MediaKeySession</a></code> objects.
                       This enables a reasonable number of key rotation algorithms to be implemented across user agents and may reduce the likelihood of playback interruptions in use cases that involve various streams in the same element (i.e. adaptive streams, various audio and video tracks) using different keys.
                       </p></div>
                     </li> 
@@ -1360,11 +1364,11 @@
             The message from the CDM. Messages are Key System-specific.
           </dd><dt id="widl-MediaKeyMessageEvent-messageType"><code>messageType</code> of type <span class="idlAttrType"><a href="#idl-def-MediaKeyMessageType" class="idlType"><code>MediaKeyMessageType</code></a></span>, readonly   </dt><dd>
             The type of the message.
-            <p>Applications <em class="rfc2119" title="MAY">MAY</em> ignore this attribute and <em class="rfc2119" title="MUST NOT">MUST NOT</em> be required to handle message types.
+            <p>Implementations <em class="rfc2119" title="MUST NOT">MUST NOT</em> require applications to handle message types.
               Implementations <em class="rfc2119" title="MUST">MUST</em> support applications that do not differentiate messages and <em class="rfc2119" title="MUST NOT">MUST NOT</em> require that applications handle message types.
               Specifically, Key Systems <em class="rfc2119" title="MUST">MUST</em> support passing all types of messages to a single URL.
             </p>
-            <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_25"><span>Note</span></div><p class="">This attribute allows an application to differentiate messages without parsing the message.
+            <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_26"><span>Note</span></div><p class="">This attribute allows an application to differentiate messages without parsing the message.
               It is intended to enable optional application and/or server optimizations, but applications are not required to use it.
             </p></div>
           </dd></dl></section>
@@ -1385,7 +1389,7 @@
       <section id="mediakeysession-events" class="informative" typeof="bibo:Chapter" resource="#mediakeysession-events" rel="bibo:Chapter">
         <h3 role="heading" id="h3_mediakeysession-events"><span class="secno">5.4 </span>Event Summary</h3><p><em>This section is non-normative.</em></p>
     
-        <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_26"><span>Note</span></div><p class="">In some implementations, <code><a href="#idl-def-MediaKeySession">MediaKeySession</a></code> objects may not fire any events until the <code><a href="#idl-def-MediaKeys">MediaKeys</a></code> object is associated with a media element using <code><a href="#widl-HTMLMediaElement-setMediaKeys-Promise-void--MediaKeys-mediaKeys">setMediaKeys()</a></code>.</p></div>
+        <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_27"><span>Note</span></div><p class="">In some implementations, <code><a href="#idl-def-MediaKeySession">MediaKeySession</a></code> objects may not fire any events until the <code><a href="#idl-def-MediaKeys">MediaKeys</a></code> object is associated with a media element using <code><a href="#widl-HTMLMediaElement-setMediaKeys-Promise-void--MediaKeys-mediaKeys">setMediaKeys()</a></code>.</p></div>
     
         <table class="old-table">
           <thead>
@@ -1444,7 +1448,7 @@
             <li><p><a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">Queue a task</a> to <a href="http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event">fire a simple event</a> named <code><a href="#dom-evt-keyschange">keyschange</a></code> at the <var title="true">session</var>.</p></li>
             <li><p><a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">Queue a task</a> to run the <a href="#algorithms-resume-playback">attempt to resume playback if necessary algorithm</a> on each of the media element(s) whose <code><a href="#widl-HTMLMediaElement-mediaKeys">mediaKeys</a></code> attribute is the MediaKeys object that created the <var title="true">session</var>.</p>
               <p>The user agent <em class="rfc2119" title="MAY">MAY</em> choose to skip this step if it knows resuming will fail.</p>
-              <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_27"><span>Note</span></div><p class="">For example, the user agent may skip this step if no additional keys became available.</p></div>
+              <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_28"><span>Note</span></div><p class="">For example, the user agent may skip this step if no additional keys became available.</p></div>
             </li>
           </ol>
         </section>
@@ -1467,7 +1471,7 @@
         <section id="algorithms-session-close" typeof="bibo:Chapter" resource="#algorithms-session-close" rel="bibo:Chapter">
           <h4 role="heading" id="h4_algorithms-session-close"><span class="secno">5.5.4 </span>Session Close</h4>
           <p>The Session Close algorithm is run when the CDM closes the session associated with a <code><a href="#idl-def-MediaKeySession">MediaKeySession</a></code> object.</p>
-          <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_28"><span>Note</span></div><p class="">The CDM may close a session at any point, such as in response to a <code><a href="#widl-MediaKeySession-close-Promise-void">close()</a></code> call, when the session is no longer needed, or when system resources are lost.
+          <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_29"><span>Note</span></div><p class="">The CDM may close a session at any point, such as in response to a <code><a href="#widl-MediaKeySession-close-Promise-void">close()</a></code> call, when the session is no longer needed, or when system resources are lost.
           Keys in other sessions <em class="rfc2119" title="SHOULD">SHOULD</em> be unaffected, even if they have overlapping key IDs.
           </p></div>
           <p>The following steps are run:</p>
@@ -1554,7 +1558,7 @@
         <p>An application that creates a <code><a href="#idl-def-SessionType.persistent">"persistent"</a></code> session <em class="rfc2119" title="SHOULD">SHOULD</em> later remove the stored data using <code><a href="#widl-MediaKeySession-remove-Promise-void">remove()</a></code>.
           The CDM <em class="rfc2119" title="MAY">MAY</em> also remove sessions as appropriate, but applications <em class="rfc2119" title="SHOULD NOT">SHOULD NOT</em> rely on this.
         </p>
-        <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_29"><span>Note</span></div><p class="">See the <a href="#security">Security Considerations</a> and <a href="#privacy">Privacy Considerations</a> sections for additional considerations when supporting persistent storage.</p></div>
+        <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_30"><span>Note</span></div><p class="">See the <a href="#security">Security Considerations</a> and <a href="#privacy">Privacy Considerations</a> sections for additional considerations when supporting persistent storage.</p></div>
       </section>
     </section>
 
@@ -1596,8 +1600,8 @@
 
           
           
-          <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_32"><span>Note</span></div><p class="">Support for clearing or replacing the associated <code><a href="#idl-def-MediaKeys">MediaKeys</a></code> object during playback is a quality of implementation issue. In many cases it will result in a bad user experience or rejected promise.</p></div>
-          <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_33"><span>Note</span></div><p class="">As a best practice, applications should create a MediaKeys object and call <code><a href="#widl-HTMLMediaElement-setMediaKeys-Promise-void--MediaKeys-mediaKeys">setMediaKeys()</a></code> before providing <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> (for example, setting the <code><a href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-media-src">src</a></code> attribute). This avoids potential delays in some implementations.</p></div>
+          <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_33"><span>Note</span></div><p class="">Support for clearing or replacing the associated <code><a href="#idl-def-MediaKeys">MediaKeys</a></code> object during playback is a quality of implementation issue. In many cases it will result in a bad user experience or rejected promise.</p></div>
+          <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_34"><span>Note</span></div><p class="">As a best practice, applications should create a MediaKeys object and call <code><a href="#widl-HTMLMediaElement-setMediaKeys-Promise-void--MediaKeys-mediaKeys">setMediaKeys()</a></code> before providing <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> (for example, setting the <code><a href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-media-src">src</a></code> attribute). This avoids potential delays in some implementations.</p></div>
         <table class="parameters"><tbody><tr><th>Parameter</th><th>Type</th><th>Nullable</th><th>Optional</th><th>Description</th></tr><tr><td class="prmName">mediaKeys</td><td class="prmType"><code><a href="#idl-def-MediaKeys" class="idlType"><code>MediaKeys</code></a></code></td><td class="prmNullTrue"><span role="img" aria-label="True">✔</span></td><td class="prmOptFalse"><span role="img" aria-label="False">✘</span></td><td class="prmDesc">
               A <code><a href="#idl-def-MediaKeys">MediaKeys</a></code> object.
             </td></tr></tbody></table><div><em>Return type: </em><code>Promise&lt;void&gt;</code></div><p>When this method is invoked, the user agent must run the following steps:</p><ol class="method-algorithm">
@@ -1613,7 +1617,7 @@
                   <ol>
                     <li><p>If the user agent or CDM do not support removing the association, let this object's <var title="true">attaching media keys</var> value be false and reject <var>promise</var> with a new <code><a href="http://heycam.github.io/webidl/#dfn-DOMException">DOMException</a></code> whose name is <code><a href="#dfn-NotSupportedError">NotSupportedError</a></code>.</p></li>
                     <li><p>If the association cannot currently be removed, let this object's <var title="true">attaching media keys</var> value be false and reject <var>promise</var> with a new <code><a href="http://heycam.github.io/webidl/#dfn-DOMException">DOMException</a></code> whose name is <code><a href="#dfn-InvalidStateError">InvalidStateError</a></code>.</p>
-                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_30"><span>Note</span></div><p class="">For example, some implementations may not allow removal during playback.</p></div>
+                      <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_31"><span>Note</span></div><p class="">For example, some implementations may not allow removal during playback.</p></div>
                     </li>
                     <li><p>Stop using the CDM instance represented by the <code><a href="#widl-HTMLMediaElement-mediaKeys">mediaKeys</a></code> attribute to decrypt <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> and remove the association with the media element.</p></li>
                     <li><p>If the preceding step failed, let this object's <var title="true">attaching media keys</var> value be false and reject <var>promise</var> with a new <code><a href="http://heycam.github.io/webidl/#dfn-DOMException">DOMException</a></code> whose name is the appropriate <a href="#error-names">error name</a>.</p></li>
@@ -1631,7 +1635,7 @@
                     </li>
                     <li><p><a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">Queue a task</a> to run the <a href="#algorithms-resume-playback">attempt to resume playback if necessary algorithm</a> on the media element.</p>
                       <p>The user agent <em class="rfc2119" title="MAY">MAY</em> choose to skip this step if it knows resuming will fail.</p><p>
-                      </p><div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_31"><span>Note</span></div><p class="">For example, the user agent may skip this step if <var>mediaKeys</var> has no sessions.</p></div>
+                      </p><div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_32"><span>Note</span></div><p class="">For example, the user agent may skip this step if <var>mediaKeys</var> has no sessions.</p></div>
                     </li>
                   </ol>
                 </li>
@@ -1691,7 +1695,7 @@
               <td><a href="#idl-def-MediaEncryptedEvent" class="idlType"><code>MediaEncryptedEvent</code></a></td>
               <td>The user agent encounters <a href="#initialization-data">Initialization Data</a> in the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a>.</td>
               <td><code><a href="http://www.w3.org/TR/html5/embedded-content-0.html#dom-media-readystate">readyState</a></code> is equal to <code><a href="http://www.w3.org/TR/html5/embedded-content-0.html#dom-media-have_metadata">HAVE_METADATA</a></code> or greater.
-              <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_34"><span>Note</span></div><p class="">It is possible that the element is playing or has played.</p></div>
+              <div class="note"><div class="note-title" aria-level="2" role="heading" id="h_note_35"><span>Note</span></div><p class="">It is possible that the element is playing or has played.</p></div>
               </td>
             </tr>
           </tbody>
@@ -1714,7 +1718,7 @@
                 <li><p>Let <var title="">initDataType</var> be the string representing the <a href="#initialization-data-type">Initialization Data Type</a> of the Initialization Data.</p></li>
                 <li><p>Let <var title="">initData</var> be the Initialization Data.</p></li>
               </ol>
-              <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_35"><span>Note</span></div><p class="">While the media element may allow loading of "Optionally-blockable Content" [<cite><a class="bibref" href="#bib-MIXED-CONTENT">MIXED-CONTENT</a></cite>], the user agent <em class="rfc2119" title="MUST NOT">MUST NOT</em> expose Initialization Data from such media data to the application.</p></div>
+              <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_36"><span>Note</span></div><p class="">While the media element may allow loading of "Optionally-blockable Content" [<cite><a class="bibref" href="#bib-MIXED-CONTENT">MIXED-CONTENT</a></cite>], the user agent <em class="rfc2119" title="MUST NOT">MUST NOT</em> expose Initialization Data from such media data to the application.</p></div>
             </li>
             <li>
               <p><a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">Queue a task</a> to <a href="http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event">fire a simple event</a> named <code><a href="#dom-evt-encrypted">encrypted</a></code> at the media element.</p>
@@ -1723,8 +1727,8 @@
                 <code><a href="#widl-MediaEncryptedEventInit-initDataType">initDataType</a></code> = <var title="">initDataType</var><br><br>
                 <code><a href="#widl-MediaEncryptedEventInit-initData">initData</a></code> = <var title="">initData</var>
               </li></ul>
-              <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_36"><span>Note</span></div><p class=""><code><a href="http://www.w3.org/TR/html5/embedded-content-0.html#dom-media-readystate">readyState</a></code> is <em>not</em> changed and no algorithms are aborted. This event merely provides information.</p></div>
-              <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_37"><span>Note</span></div><p class="">The <code><a href="#widl-MediaEncryptedEventInit-initData">initData</a></code> attribute will be null if the media data is <em>not</em> <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a> or is <a href="#mixed-content">mixed content</a>.
+              <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_37"><span>Note</span></div><p class=""><code><a href="http://www.w3.org/TR/html5/embedded-content-0.html#dom-media-readystate">readyState</a></code> is <em>not</em> changed and no algorithms are aborted. This event merely provides information.</p></div>
+              <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_38"><span>Note</span></div><p class="">The <code><a href="#widl-MediaEncryptedEventInit-initData">initData</a></code> attribute will be null if the media data is <em>not</em> <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a> or is <a href="#mixed-content">mixed content</a>.
                 Applications may retrieve the Initialization Data from an alternate source.
               </p></div>
             </li>
@@ -1743,10 +1747,10 @@
                 <li><p>Let <var title="true">media keys</var> be the <code><a href="#idl-def-MediaKeys">MediaKeys</a></code> object referenced by that atribute.</p></li>
                 <li><p>Let <var title="true">cdm</var> be the CDM loaded during the <a href="#widl-MediaKeySystemAccess-createMediaKeys-Promise-MediaKeys">initialization</a> of the <var title="true">media keys</var>.</p></li>
                 <li><p>If there is at least one <code><a href="#idl-def-MediaKeySession">MediaKeySession</a></code> created by the <var title="true">media keys</var> on which the <a href="#algorithms-session-close">session close algorithm</a> has not been run, run the following steps:</p>
-                  <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_38"><span>Note</span></div><p class="">This check ensures the <var title="true">cdm</var> has finished loading and is a prequisite for a matching key being available.</p></div>
+                  <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_39"><span>Note</span></div><p class="">This check ensures the <var title="true">cdm</var> has finished loading and is a prequisite for a matching key being available.</p></div>
                   <ol>
                     <li><p>Let the <var title="true">block key ID</var> be the key ID of the current block.</p>
-                      <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_39"><span>Note</span></div><p class="">The key ID is generally specified by the container.</p></div>
+                      <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_40"><span>Note</span></div><p class="">The key ID is generally specified by the container.</p></div>
                     </li>
                     <li><p>Use the <var title="true">cdm</var> to execute the following steps:</p>
                       <ol>
@@ -1757,7 +1761,7 @@
                           <dd>Run the following steps:
                             <ol>
                               <li><p>Let <var title="">block key</var> be the matching key.</p>
-                                <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_40"><span>Note</span></div><p class="">If multiple sessions contain a <em>usable</em> key for the <var title="">block key ID</var>, which key to use is <a href="#key-system">Key System</a>-dependent.</p></div>
+                                <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_41"><span>Note</span></div><p class="">If multiple sessions contain a <em>usable</em> key for the <var title="">block key ID</var>, which key to use is <a href="#key-system">Key System</a>-dependent.</p></div>
                               </li>
                               <li><p>Use the <var title="true">cdm</var> to decrypt the block using <var title="">block key</var>.</p></li>
                               <li><p>Follow the steps for the first matching condition from the following list:</p>
@@ -1769,12 +1773,12 @@
                                     <ol>
                                       <li><p>If the <code><a href="#widl-HTMLMediaElement-waitingFor">waitingFor</a></code> attribute on the media element is <code><a href="#idl-def-MediaWaitingFor.key">"key"</a></code>, set the <code><a href="#widl-HTMLMediaElement-waitingFor">waitingFor</a></code> attribute on the media element to <code><a href="#idl-def-MediaWaitingFor.none">"none"</a></code>.</p></li>
                                       <li><p>Abort these steps and process the decrypted block as normal.</p>
-                                        <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_41"><span>Note</span></div><p class="">In other words, decode the block.</p></div>
+                                        <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_42"><span>Note</span></div><p class="">In other words, decode the block.</p></div>
                                       </li>
                                     </ol>
                                   </dd>
                                 </dl>
-                                <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_42"><span>Note</span></div><p class="">Not all decryption problems (i.e. using the wrong key) will result in a decryption failure. In such cases, no error is fired here but one may be fired during decode.</p></div>
+                                <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_43"><span>Note</span></div><p class="">Not all decryption problems (i.e. using the wrong key) will result in a decryption failure. In such cases, no error is fired here but one may be fired during decode.</p></div>
                               </li>
                             </ol>
                           </dd>
@@ -1783,7 +1787,7 @@
                             <div class="issue"><div class="issue-title" aria-level="3" role="heading" id="h_issue_7"><span>Issue 7</span></div><p class=""><a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=26372">Bug 26372</a> - It is TBD whether anything should happen in this case.</p></div>
                           </dd>
                           </dl>
-                          <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_43"><span>Note</span></div><p class="">Otherwise, there is no key for the <var title="true">block key ID</var> in any session so continue.</p></div>
+                          <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_44"><span>Note</span></div><p class="">Otherwise, there is no key for the <var title="true">block key ID</var> in any session so continue.</p></div>
                         </li>
                       </ol>
                     </li>
@@ -1793,7 +1797,7 @@
             </li>
             <li>
               <p>Run the following steps:</p>
-              <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_44"><span>Note</span></div><p class="">These steps are reached when there is no usable key for the block.</p></div>
+              <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_45"><span>Note</span></div><p class="">These steps are reached when there is no usable key for the block.</p></div>
               <ol>
                 <li><p>Run the <a href="#algorithms-queue-waiting">queue a "waiting" event algorithm</a> on the media element.</p></li>
                 <li><p>Wait for a signal to resume playback.</p></li>
@@ -1801,7 +1805,7 @@
             </li>
           </ol>
       
-          <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_45"><span>Note</span></div><div class="">
+          <div class="note"><div class="note-title" aria-level="3" role="heading" id="h_note_46"><span>Note</span></div><div class="">
             <p>For frame-based encryption, this may be implemented as follows when the media element attempts to decode a frame as part of the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#concept-media-load-resource">resource fetch algorithm</a>:</p>
             <ol>
               <li><p>Let <var title="">encrypted</var> be false.</p></li>
@@ -1882,7 +1886,7 @@
     <section id="common-key-systems" typeof="bibo:Chapter" resource="#common-key-systems" rel="bibo:Chapter">
       <!--OddPage--><h2 role="heading" id="h2_common-key-systems"><span class="secno">7. </span>Common Key Systems</h2>
       <p>All user agents <em class="rfc2119" title="MUST">MUST</em> support the common key systems described in this section.</p><p>
-      </p><div class="note"><div class="note-title" aria-level="1" role="heading" id="h_note_46"><span>Note</span></div><p class="">This ensures that there is a common baseline level of protection that is guaranteed to be supported in all user agents, including those that are entirely open source.
+      </p><div class="note"><div class="note-title" aria-level="1" role="heading" id="h_note_47"><span>Note</span></div><p class="">This ensures that there is a common baseline level of protection that is guaranteed to be supported in all user agents, including those that are entirely open source.
         Thus, content providers that need only basic protection can build simple applications that will work on all platforms without needing to work with any content protection providers.
       </p></div>
   
@@ -2128,6 +2132,20 @@
         <p>Thus, in addition to the various mitigations described above, if a browser supports a mode of operation intended to preserve user anonymity, then User Agent implementers should carefully consider whether access to Key Systems should be disabled in this mode.
           For example, such modes <em class="rfc2119" title="MAY">MAY</em> prohibit creation of <a href="#idl-def-MediaKeySystemAccess" class="idlType"><code>MediaKeySystemAccess</code></a> objects that are <code><a href="#widl-MediaKeySystemOptions-stateful">stateful</a></code> or use a <code><a href="#widl-MediaKeySystemOptions-uniqueidentifier">uniqueidentifier</a></code> (either as part of the CDM implementation or because the application <code><a href="#idl-def-MediaKeysRequirement.required">"required"</a></code> them).
         </p>
+
+        <section id="privacy-individualization" typeof="bibo:Chapter" resource="#privacy-individualization" rel="bibo:Chapter">
+          <h4 role="heading" id="h4_privacy-individualization"><span class="secno">9.4.1 </span>Individualization</h4>
+          <p>Identifiers are sometimes obtained via a process called individualization or provisioning.
+            In all cases, implementations should avoid sending per-origin information to centralized servers since this could create a central record of all origins visited by a user or device.
+          </p>
+          <p>Per-origin individualization (resulting in a per-origin identifier) can - with appropriate precautions - provide better privacy than other individualization models. 
+            To preserve the benefits of such a design and to avoid introducing other privacy concerns:
+          </p>
+          <ul>
+            <li><p>Such implementations should not use identifiers for a device or user of a device in the individualization process.</p></li>
+            <li><p>Such implementations and the applications that support them should also avoid deferring or forwarding the individualization process to a central server or other server not controlled by the application author.</p></li>
+          </ul>
+        </section>
       </section>
   
       <section id="privacy-storedinfo" typeof="bibo:Chapter" resource="#privacy-storedinfo" rel="bibo:Chapter">