Mercurial > hg > html-media / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset
Bug 21203 - EME leaks information cross-origin
authorAdrian Bateman <adrianba@microsoft.com>
Tue, 27 Aug 2013 07:59:18 -0700
changeset 151 5c8bb7219191
parent 150 6bedfa23739d
child 152 9b242f232a5f
Bug 21203 - EME leaks information cross-origin
encrypted-media/encrypted-media.html
encrypted-media/encrypted-media.xml 
--- a/encrypted-media/encrypted-media.html	Tue Aug 27 07:45:42 2013 -0700
+++ b/encrypted-media/encrypted-media.html	Tue Aug 27 07:59:18 2013 -0700
@@ -258,9 +258,9 @@
 
     <h4 id="cross-origin-support">1.2.5. Cross Origin Support</h4>
     <p>During playback, embedded media data is exposed to script in the embedding origin. In order for the API to fire <code><a href="#dom-needkey">needkey</a></code>
-    and <code><a href="#dom-keymessage">keymessage</a></code> events, <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> needs to be <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a> with the embedding page or
-    use the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-img-crossorigin">crossorigin</a> attribute on the
-    media element and CORS headers on the media data response to authorize cross-origin information exposure.
+    and <code><a href="#dom-keymessage">keymessage</a></code> events, <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> needs to be <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a> with the embedding page.
+    If <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is cross-origin with the embedding document, authors should use the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-media-crossorigin">crossorigin</a> attribute
+    on the <a href="#media-element">media element</a> and CORS headers on the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> response to make it <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a>."
     </p>
 
     <h2 id="extensions">2. Media Element Extensions</h2>
--- a/encrypted-media/encrypted-media.xml	Tue Aug 27 07:45:42 2013 -0700
+++ b/encrypted-media/encrypted-media.xml	Tue Aug 27 07:59:18 2013 -0700
@@ -254,9 +254,9 @@
 
     <h4 id="cross-origin-support">1.2.5. Cross Origin Support</h4>
     <p>During playback, embedded media data is exposed to script in the embedding origin. In order for the API to fire <coderef>needkey</coderef>
-    and <coderef>keymessage</coderef> events, <videoanchor name="media-data">media data</videoanchor> needs to be <cors-same-origin/> with the embedding page or
-    use the <videoanchor name="attr-img-crossorigin">crossorigin</videoanchor> attribute on the
-    media element and CORS headers on the media data response to authorize cross-origin information exposure.
+    and <coderef>keymessage</coderef> events, <videoanchor name="media-data">media data</videoanchor> needs to be <cors-same-origin/> with the embedding page.
+    If <videoanchor name="media-data">media data</videoanchor> is cross-origin with the embedding document, authors should use the <videoanchor name="attr-media-crossorigin">crossorigin</videoanchor> attribute
+    on the <a href="#media-element">media element</a> and CORS headers on the <videoanchor name="media-data">media data</videoanchor> response to make it <cors-same-origin/>."
     </p>
 
     <h2 id="extensions">2. Media Element Extensions</h2>
html-media

Hosted by W3C Systems Team, please report bugs to sysreq@w3.org