Bug 21203 - EME leaks information cross-origin - tidying up
authorAdrian Bateman <adrianba@microsoft.com>
Mon, 16 Sep 2013 22:20:40 -0700
changeset 156 e9e9690472e0
parent 155 83629aec22e1
child 157 1125c81d975f
Bug 21203 - EME leaks information cross-origin - tidying up
encrypted-media/encrypted-media.html
encrypted-media/encrypted-media.xml
--- a/encrypted-media/encrypted-media.html	Mon Sep 16 22:09:35 2013 -0700
+++ b/encrypted-media/encrypted-media.html	Mon Sep 16 22:20:40 2013 -0700
@@ -260,7 +260,7 @@
 
     <h4 id="cross-origin-support">1.2.5. Cross Origin Support</h4>
     <p>During playback, embedded media data is exposed to script in the embedding origin. In order for the API to fire <code><a href="#dom-needkey">needkey</a></code>
-    and <code><a href="#dom-keymessage">keymessage</a></code> events, <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> needs to be <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a> with the embedding page.
+    and <code><a href="#dom-keymessage">keymessage</a></code> events, <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> must be <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a> with the embedding page.
     If <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is cross-origin with the embedding document, authors should use the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-media-crossorigin">crossorigin</a> attribute
     on the <a href="#media-element">media element</a> and CORS headers on the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> response to make it <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a>.
     </p>
@@ -945,7 +945,7 @@
           </dl>
           <p class="non-normative">Note: Not all decryption problems (i.e. using the wrong key) will result in a decryption failure. In such cases, no error is fired here but one may be fired during decode.</p>
         </dd>
-        <dt>If there is an event handler for <code><a href="#dom-needkey">needkey</a></code> and the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a>
+        <dt>If there is an event handler for <code><a href="#dom-needkey">needkey</a></code>
 </dt>
         <dd>
         <p>Take no action.</p>
--- a/encrypted-media/encrypted-media.xml	Mon Sep 16 22:09:35 2013 -0700
+++ b/encrypted-media/encrypted-media.xml	Mon Sep 16 22:20:40 2013 -0700
@@ -256,7 +256,7 @@
 
     <h4 id="cross-origin-support">1.2.5. Cross Origin Support</h4>
     <p>During playback, embedded media data is exposed to script in the embedding origin. In order for the API to fire <coderef>needkey</coderef>
-    and <coderef>keymessage</coderef> events, <videoanchor name="media-data">media data</videoanchor> needs to be <cors-same-origin/> with the embedding page.
+    and <coderef>keymessage</coderef> events, <videoanchor name="media-data">media data</videoanchor> must be <cors-same-origin/> with the embedding page.
     If <videoanchor name="media-data">media data</videoanchor> is cross-origin with the embedding document, authors should use the <videoanchor name="attr-media-crossorigin">crossorigin</videoanchor> attribute
     on the <a href="#media-element">media element</a> and CORS headers on the <videoanchor name="media-data">media data</videoanchor> response to make it <cors-same-origin/>.
     </p>
@@ -888,7 +888,7 @@
           </dl>
           <p class="non-normative">Note: Not all decryption problems (i.e. using the wrong key) will result in a decryption failure. In such cases, no error is fired here but one may be fired during decode.</p>
         </dd>
-        <dt>If there is an event handler for <coderef>needkey</coderef> and the <videoanchor name="media-data">media data</videoanchor> is <cors-same-origin/></dt>
+        <dt>If there is an event handler for <coderef>needkey</coderef></dt>
         <dd>
         <p>Take no action.</p>
         <p class="non-normative">The <a href="#media-element">media element</a> is said to be <videoref name="potentially-playing">potentially playing</videoref>