Bug 21203 - EME leaks information cross-origin
authorAdrian Bateman <adrianba@microsoft.com>
Tue, 04 Jun 2013 08:01:41 -0700
changeset 13169dbfb8baca8
parent 130 1ac9c2205a7b
child 132 63675668846c
Bug 21203 - EME leaks information cross-origin
encrypted-media/encrypted-media.html
encrypted-media/encrypted-media.xml
encrypted-media/spec-html.xsl
     1.1 --- a/encrypted-media/encrypted-media.html	Sat Jun 01 12:58:28 2013 -0700
     1.2 +++ b/encrypted-media/encrypted-media.html	Tue Jun 04 08:01:41 2013 -0700
     1.3 @@ -57,7 +57,7 @@
     1.4      <div class="head">
     1.5        <p><a href="http://www.w3.org/"><img src="https://www.w3.org/Icons/w3c_home" alt="W3C" width="72" height="48"></a></p>
     1.6        <h1>Encrypted Media Extensions</h1>
     1.7 -      <h2 id="draft-date">W3C Editor's Draft 28 May 2013</h2>
     1.8 +      <h2 id="draft-date">W3C Editor's Draft 4 June 2013</h2>
     1.9        <dl>
    1.10          <dt>This Version:</dt>
    1.11          <dd><a href="http://dvcs.w3.org/hg/html-media/raw-file/default/encrypted-media/encrypted-media.html">http://dvcs.w3.org/hg/html-media/raw-file/default/encrypted-media/encrypted-media.html</a></dd>
    1.12 @@ -256,6 +256,12 @@
    1.13      This data has a container-specific format and is assumed to contain one or more generic or Key System-specific sets of initialization information.
    1.14      </p>
    1.15  
    1.16 +    <h4 id="cross-origin-support">1.2.5. Cross Origin Support</h4>
    1.17 +    <p>During playback, embedded media data is exposed to script in the embedding origin. In order for the API to fire <code><a href="#dom-needkey">needkey</a></code>
    1.18 +    and <code><a href="#dom-keymessage">keymessage</a></code> events, <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> needs to be <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a> with the embedding page or
    1.19 +    use the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-img-crossorigin">crossorigin</a> attribute on the
    1.20 +    media element and CORS headers on the media data response to authorize cross-origin information exposure.
    1.21 +    </p>
    1.22  
    1.23      <h2 id="extensions">2. Media Element Extensions</h2>
    1.24      <p>We extend <dfn id="media-element" title="media element"><a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-element">media element</a></dfn> to allow decryption key acquisition to be handled in JavaScript.</p>
    1.25 @@ -379,7 +385,8 @@
    1.26            <li>
    1.27  <p>Use <var title="true">cdm</var> to generate a key request and follow the steps for the first matching condition from the following list:</p>
    1.28              <dl class="switch">
    1.29 -              <dt>If a request is successfully generated</dt>
    1.30 +              <dt>If a request is successfully generated and the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a>
    1.31 +</dt>
    1.32                <dd>
    1.33                <ol>
    1.34                  <li>
    1.35 @@ -491,6 +498,7 @@
    1.36            <li>If <var title="true">did store key</var> is true and the <a href="#media-element">media element</a> is <a href="#waiting-for-a-key">waiting for a key</a>, <a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">queue a task</a> to attempt to resume playback.
    1.37              <p class="non-normative">In other words, resume playback if the necessary key is provided.</p>
    1.38            </li>
    1.39 +          <li><p>If <var title="true">next message</var> is not null and the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is not <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a>, jump to the <i>Error</i> step below and perform the task failed steps.</p></li>
    1.40            <li>
    1.41  <p>If <var title="true">next message</var> is not null, <a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">queue a task</a> to <a href="http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event">fire a simple event</a> named <code><a href="#dom-keymessage">keymessage</a></code> at the <code><a href="#dom-mediakeysession">MediaKeySession</a></code> object.</p>
    1.42               <p>The event is of type <code><a href="#dom-mediakeymessageevent">MediaKeyMessageEvent</a></code> and has:</p>
    1.43 @@ -501,7 +509,7 @@
    1.44            </li>
    1.45            <li><p>If <var title="true">did store key</var> is true, <a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">queue a task</a> to <a href="http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event">fire a simple event</a> named <code><a href="#dom-keyadded">keyadded</a></code> at the <code><a href="#dom-mediakeysession">MediaKeySession</a></code> object.</p></li>
    1.46            <li>
    1.47 -<p>If any of the preceding steps in the task failed</p>
    1.48 +<p><i>Error</i>: If any of the preceding steps in the task failed</p>
    1.49                <ol>
    1.50                  <li>
    1.51  <p>Create a new <code><a href="#dom-mediakeyerror">MediaKeyError</a></code> object with the following attributes:</p>
    1.52 @@ -585,7 +593,7 @@
    1.53            <li>The media element's <code><a href="#dom-keys">keys</a></code> attribute is null</li>
    1.54          </ol>
    1.55        </dd>
    1.56 -      <p class="non-normative">Applications that support encrypted media should provide a <code><a href="#dom-needkey">needkey</a></code> handle and/or call <code><a href="#dom-setmediakeys">setMediaKeys()</a></code> no later than when <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is provided.</p>
    1.57 +      <p class="non-normative">Applications that support encrypted media should provide a <code><a href="#dom-needkey">needkey</a></code> handler and/or call <code><a href="#dom-setmediakeys">setMediaKeys()</a></code> no later than when <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is provided.</p>
    1.58        <p class="non-normative">If the user agent does not support decryption of this <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a>, it should report the same error it would for any other unsupported media data (e.g. <code>MEDIA_ERR_SRC_NOT_SUPPORTED</code>).</p>
    1.59      </dl>
    1.60  
    1.61 @@ -801,7 +809,15 @@
    1.62          </ol>
    1.63        </li>
    1.64        <li>
    1.65 -<p><i>Need Key</i>: <a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">queue a task</a> to <a href="http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event">fire a simple event</a> named <code><a href="#dom-needkey">needkey</a></code> at the <a href="#media-element">media element</a>.</p>
    1.66 +<p><i>Need Key</i>:</p>
    1.67 +        <dl class="switch">
    1.68 +          <dt>If the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a>
    1.69 +</dt>
    1.70 +          <dd>
    1.71 +<a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">Queue a task</a> to <a href="http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event">fire a simple event</a> named <code><a href="#dom-needkey">needkey</a></code> at the <a href="#media-element">media element</a>.</dd>
    1.72 +          <dt>Otherwise</dt>
    1.73 +          <dd>Abort media element's <a href="http://www.w3.org/TR/html5/embedded-content-0.html#concept-media-load-resource">resource fetch algorithm</a> and run the steps to report a <code><a href="#dom-media_err_encrypted">MEDIA_ERR_ENCRYPTED</a></code> error.</dd>
    1.74 +        </dl>
    1.75          <p>The event is of type <code><a href="#dom-mediakeyneededevent">MediaKeyNeededEvent</a></code> and has:</p>
    1.76          <ul style="list-style-type:none"><li>
    1.77            <code><a href="#dom-initdata">initData</a></code> = <var title="">initData</var>
    1.78 @@ -848,7 +864,7 @@
    1.79            </dl>
    1.80            <p class="non-normative">Note: Not all decryption problems (i.e. using the wrong key) will result in a decryption failure. In such cases, no error is fired here but one may be fired during decode.</p>
    1.81          </dd>
    1.82 -        <dt>If there is an event handler for <code><a href="#dom-needkey">needkey</a></code>
    1.83 +        <dt>If there is an event handler for <code><a href="#dom-needkey">needkey</a></code> and the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a> is <a href="http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin">CORS-same-origin</a>
    1.84  </dt>
    1.85          <dd>
    1.86          <p>Take no action.</p>
     2.1 --- a/encrypted-media/encrypted-media.xml	Sat Jun 01 12:58:28 2013 -0700
     2.2 +++ b/encrypted-media/encrypted-media.xml	Tue Jun 04 08:01:41 2013 -0700
     2.3 @@ -56,7 +56,7 @@
     2.4      <div class="head">
     2.5        <p><a href="http://www.w3.org/"><img src="https://www.w3.org/Icons/w3c_home" alt="W3C" width="72" height="48" /></a></p>
     2.6        <h1>Encrypted Media Extensions</h1>
     2.7 -      <h2 id="draft-date">W3C Editor's Draft 28 May 2013</h2>
     2.8 +      <h2 id="draft-date">W3C Editor's Draft 4 June 2013</h2>
     2.9        <dl>
    2.10          <dt>This Version:</dt>
    2.11          <dd><a href="http://dvcs.w3.org/hg/html-media/raw-file/default/encrypted-media/encrypted-media.html">http://dvcs.w3.org/hg/html-media/raw-file/default/encrypted-media/encrypted-media.html</a></dd>
    2.12 @@ -252,6 +252,12 @@
    2.13      This data has a container-specific format and is assumed to contain one or more generic or Key System-specific sets of initialization information.
    2.14      </p>
    2.15  
    2.16 +    <h4 id="cross-origin-support">1.2.5. Cross Origin Support</h4>
    2.17 +    <p>During playback, embedded media data is exposed to script in the embedding origin. In order for the API to fire <coderef>needkey</coderef>
    2.18 +    and <coderef>keymessage</coderef> events, <videoanchor name="media-data">media data</videoanchor> needs to be <cors-same-origin/> with the embedding page or
    2.19 +    use the <videoanchor name="attr-img-crossorigin">crossorigin</videoanchor> attribute on the
    2.20 +    media element and CORS headers on the media data response to authorize cross-origin information exposure.
    2.21 +    </p>
    2.22  
    2.23      <h2 id="extensions">2. Media Element Extensions</h2>
    2.24      <p>We extend <dfn id="media-element" title="media element"><media-element/></dfn> to allow decryption key acquisition to be handled in JavaScript.</p>
    2.25 @@ -367,7 +373,7 @@
    2.26            <li><p>Let <var title="true">defaultURL</var> be null.</p></li>
    2.27            <li><p>Use <var title="true">cdm</var> to generate a key request and follow the steps for the first matching condition from the following list:</p>
    2.28              <dl class="switch">
    2.29 -              <dt>If a request is successfully generated</dt>
    2.30 +              <dt>If a request is successfully generated and the <videoanchor name="media-data">media data</videoanchor> is <cors-same-origin/></dt>
    2.31                <dd>
    2.32                <ol>
    2.33                  <li><p>Let <var title="true">key request</var> be a key request generated by the <a href="#cdm">CDM</a> using <var title="true">initData</var>, if provided.</p>
    2.34 @@ -472,6 +478,7 @@
    2.35            <li>If <var title="true">did store key</var> is true and the <a href="#media-element">media element</a> is <a href="#waiting-for-a-key">waiting for a key</a>, <queue-a-task/> to attempt to resume playback.
    2.36              <p class="non-normative">In other words, resume playback if the necessary key is provided.</p>
    2.37            </li>
    2.38 +          <li><p>If <var title="true">next message</var> is not null and the <videoanchor name="media-data">media data</videoanchor> is not <cors-same-origin/>, jump to the <i>Error</i> step below and perform the task failed steps.</p></li>
    2.39            <li><p>If <var title="true">next message</var> is not null, <queue-a-task/> to <fire-a-simple-event/> named <coderef>keymessage</coderef> at the <coderef>MediaKeySession</coderef> object.</p>
    2.40               <p>The event is of type <coderef>MediaKeyMessageEvent</coderef> and has:</p>
    2.41               <ul style="list-style-type:none"><li>
    2.42 @@ -480,7 +487,7 @@
    2.43               </li></ul>
    2.44            </li>
    2.45            <li><p>If <var title="true">did store key</var> is true, <queue-a-task/> to <fire-a-simple-event/> named <coderef>keyadded</coderef> at the <coderef>MediaKeySession</coderef> object.</p></li>
    2.46 -          <li><p>If any of the preceding steps in the task failed</p>
    2.47 +          <li><p><i>Error</i>: If any of the preceding steps in the task failed</p>
    2.48                <ol>
    2.49                  <li><p>Create a new <coderef>MediaKeyError</coderef> object with the following attributes:</p>
    2.50                    <ul style="list-style-type:none"><li>
    2.51 @@ -555,7 +562,7 @@
    2.52            <li>The media element's <coderef>keys</coderef> attribute is null</li>
    2.53          </ol>
    2.54        </dd>
    2.55 -      <p class="non-normative">Applications that support encrypted media should provide a <coderef>needkey</coderef> handle and/or call <methodref>setMediaKeys</methodref> no later than when <videoanchor name="media-data">media data</videoanchor> is provided.</p>
    2.56 +      <p class="non-normative">Applications that support encrypted media should provide a <coderef>needkey</coderef> handler and/or call <methodref>setMediaKeys</methodref> no later than when <videoanchor name="media-data">media data</videoanchor> is provided.</p>
    2.57        <p class="non-normative">If the user agent does not support decryption of this <videoanchor name="media-data">media data</videoanchor>, it should report the same error it would for any other unsupported media data (e.g. <code>MEDIA_ERR_SRC_NOT_SUPPORTED</code>).</p>
    2.58      </dl>
    2.59  
    2.60 @@ -752,7 +759,13 @@
    2.61            </li>
    2.62          </ol>
    2.63        </li>
    2.64 -      <li><p><i>Need Key</i>: <queue-a-task/> to <fire-a-simple-event/> named <coderef>needkey</coderef> at the <a href="#media-element">media element</a>.</p>
    2.65 +      <li><p><i>Need Key</i>:</p>
    2.66 +        <dl class="switch">
    2.67 +          <dt>If the <videoanchor name="media-data">media data</videoanchor> is <cors-same-origin/></dt>
    2.68 +          <dd><Queue-a-task/> to <fire-a-simple-event/> named <coderef>needkey</coderef> at the <a href="#media-element">media element</a>.</dd>
    2.69 +          <dt>Otherwise</dt>
    2.70 +          <dd>Abort media element's <resource-fetch-algorithm/> and run the steps to report a <coderef>MEDIA_ERR_ENCRYPTED</coderef> error.</dd>
    2.71 +        </dl>
    2.72          <p>The event is of type <coderef>MediaKeyNeededEvent</coderef> and has:</p>
    2.73          <ul style="list-style-type:none"><li>
    2.74            <coderef>initData</coderef> = <var title="">initData</var>
    2.75 @@ -796,7 +809,7 @@
    2.76            </dl>
    2.77            <p class="non-normative">Note: Not all decryption problems (i.e. using the wrong key) will result in a decryption failure. In such cases, no error is fired here but one may be fired during decode.</p>
    2.78          </dd>
    2.79 -        <dt>If there is an event handler for <coderef>needkey</coderef></dt>
    2.80 +        <dt>If there is an event handler for <coderef>needkey</coderef> and the <videoanchor name="media-data">media data</videoanchor> is <cors-same-origin/></dt>
    2.81          <dd>
    2.82          <p>Take no action.</p>
    2.83          <p class="non-normative">The <a href="#media-element">media element</a> is said to be <videoref name="potentially-playing">potentially playing</videoref>
     3.1 --- a/encrypted-media/spec-html.xsl	Sat Jun 01 12:58:28 2013 -0700
     3.2 +++ b/encrypted-media/spec-html.xsl	Tue Jun 04 08:01:41 2013 -0700
     3.3 @@ -116,6 +116,10 @@
     3.4      <a><xsl:attribute name="href">http://www.w3.org/TR/html5/webappapis.html#queue-a-task</xsl:attribute>queue a task</a>
     3.5    </xsl:template>
     3.6  
     3.7 +  <xsl:template match="//Queue-a-task">
     3.8 +    <a><xsl:attribute name="href">http://www.w3.org/TR/html5/webappapis.html#queue-a-task</xsl:attribute>Queue a task</a>
     3.9 +  </xsl:template>
    3.10 +
    3.11    <xsl:template match="//fire-a-simple-event">
    3.12      <a><xsl:attribute name="href">http://www.w3.org/TR/html5/webappapis.html#fire-a-simple-event</xsl:attribute>fire a simple event</a>
    3.13    </xsl:template>
    3.14 @@ -136,6 +140,10 @@
    3.15      <a><xsl:attribute name="href">http://www.w3.org/TR/html5/infrastructure.html#ascii-compatible-character-encoding</xsl:attribute>ASCII-compatible character encoding</a>
    3.16    </xsl:template>
    3.17  
    3.18 +  <xsl:template match="//cors-same-origin">
    3.19 +    <a><xsl:attribute name="href">http://www.w3.org/TR/html5/infrastructure.html#cors-same-origin</xsl:attribute>CORS-same-origin</a>
    3.20 +  </xsl:template>
    3.21 +
    3.22    <xsl:template match="//non-normative-section">
    3.23      <p><i>This section is non-normative.</i></p>
    3.24    </xsl:template>