[EME] Bug 24026 - Document that URLs (destinationURL) should/may be validated and/or normalized
--- a/encrypted-media/encrypted-media.html Mon May 05 14:00:37 2014 -0700
+++ b/encrypted-media/encrypted-media.html Mon May 05 17:48:03 2014 -0700
@@ -493,7 +493,7 @@
<p class="non-normative">Note: The license server may reject the requested type. It should not issue a different type.</p>
<p><var title="true">cdm</var> must not use any stream-specific data, including <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a>, not provided via the <var>init data</var>.</p>
</li>
- <li><p>If the <var>init data</var> indicates a default URL relevant to <var title="true">keySystem</var>, let <var title="true">default URL</var> be that URL.</p></li>
+ <li><p>If the <var>init data</var> indicates a default URL, let <var title="true">default URL</var> be that URL. The URL may be validated and/or normalized.</p></li>
</ol>
</li>
<li><p>Let the <var title="true">session ID</var> be a unique <a href="#session-id">Session ID</a> string. <span class="non-normative">It may be obtained from <var title="true">cdm</var>.</span></p></li>
@@ -541,7 +541,7 @@
<p>If a message exchange is required:</p>
<ol>
<li><p>Let <var title="true">request</var> be a request generated by the <a href="#cdm">CDM</a> based on the <var title="true">session data</var>.</p></li>
- <li><p>If the <var title="true">session data</var> indicates a destination URL for the request, let <var title="true">destination URL</var> be that URL.</p></li>
+ <li><p>If the <var title="true">session data</var> indicates a destination URL for the request, let <var title="true">destination URL</var> be that URL. The URL may be validated and/or normalized.</p></li>
</ol>
</li>
</ol>
@@ -748,7 +748,7 @@
<p>If another message needs to be sent to the server, execute the following steps:</p>
<ol>
<li><p>Let <var title="true">request</var> be that message.</p></li>
- <li><p>If there is a specific destination URL for the message, let <var title="true">destination URL</var> be that URL.</p></li>
+ <li><p>If there is a specific destination URL for the message, let <var title="true">destination URL</var> be that URL. The URL may be validated and/or normalized.</p></li>
</ol>
</li>
</ol>
@@ -946,17 +946,17 @@
<var title="">event</var> . <code><a href="#dom-destinationurl">destinationURL</a></code>
</dt>
<dd>
- <p>Returns the URL to send the <code><a href="#dom-message">message</a></code> to.</p>
+ <p>Returns the URL to which the <code><a href="#dom-message">message</a></code> should be sent.</p>
</dd>
</dl>
<div class="impl">
<p>The <dfn id="dom-initdatatype"><code>initDataType</code></dfn> attribute contains a string indicating the <a href="#initialization-data-type">initialization data type</a> specific to the event. The format of the <code><a href="#dom-initdata">initData</a></code> will vary according to the <code><a href="#dom-initdatatype">initDataType</a></code>.</p>
<p>The <dfn id="dom-initdata"><code>initData</code></dfn> attribute contains <a href="#initialization-data">Initialization Data</a> specific to the event.</p>
<p>The <dfn id="dom-message"><code>message</code></dfn> attribute contains a message from the CDM. Messages are Key System-specific. <span class="non-normative">In most cases, it should be sent to a key server.</span></p>
- <p>The <dfn id="dom-destinationurl"><code>destinationURL</code></dfn> is the URL to send the <code><a href="#dom-message">message</a></code> to.
- An application <em>may</em> override this.
- <span class="non-normative">In some cases, it may have been provided by the <a href="http://www.w3.org/TR/html5/embedded-content-0.html#media-data">media data</a>.</span>
+ <p>The <dfn id="dom-destinationurl"><code>destinationURL</code></dfn> is the URL to which the <code><a href="#dom-message">message</a></code> should be sent.
It may be null.
+ An application <em>may</em> choose not to send the message to this URL.
+ Implementations may validate and/or normalize the URL, which could result in a value that is different from the original or null. Applications should not assume that the value of this attribute will be identical across implementations.
</p>
</div>
@@ -1280,9 +1280,9 @@
<div class="issue-title"><span>Issue 5</span></div>Note: This section is not final and review is welcome.</div>
<p>Key system implementations must consider initialization data, key data and media data as potential attack vectors and must take care to safely parse, decrypt etc. initialization data, key data and media data. User Agents may want to validate data before passing it to the CDM, especially if the CDM does not run in the same (sandboxed) context as the DOM (i.e. rendering). </p>
- <p>User Agents should treat key data and media data as untrusted content and use appropriate safeguards to mitigate any associated threats.</p>
+ <p>User Agents should treat media data, key data, URLs, and any other data from the application as untrusted content and use appropriate safeguards to mitigate any associated threats.</p>
<p>User Agents are responsible for providing users with a secure way to browse the web. Since User Agents may integrate with third party CDM implementations, CDM implementers must provide sufficient information and controls to user agent implementers to enable them to properly asses the security implications of integrating with the Key System.</p>
- <p>Note: unsandboxed CDMs (or CDMs that use platform features) and UAs that use them must be especially careful in all areas of security, including parsing of key and media data, etc. due to the potential for compromises to provide access to OS/platform features, interact with or run as root, access drivers, kernel, firmware, hardware, etc., all of which may not be written to be robust against hostile software or web-based attacks. Additionally, CDMs may not be updated with security fixes as frequently, especially when part of the OS, platform or hardware.</p>
+ <p>Note: Unsandboxed CDMs (or CDMs that use platform features) and UAs that use them must be especially careful in all areas of security, including parsing of key and media data, etc. due to the potential for compromises to provide access to OS/platform features, interact with or run as root, access drivers, kernel, firmware, hardware, etc., all of which may not be written to be robust against hostile software or web-based attacks. Additionally, CDMs may not be updated with security fixes as frequently, especially when part of the OS, platform or hardware.</p>
</div>
<h2 id="privacy">7. Privacy Considerations</h2>
--- a/encrypted-media/encrypted-media.xml Mon May 05 14:00:37 2014 -0700
+++ b/encrypted-media/encrypted-media.xml Mon May 05 17:48:03 2014 -0700
@@ -476,7 +476,7 @@
<p class="non-normative">Note: The license server may reject the requested type. It should not issue a different type.</p>
<p><var title="true">cdm</var> must not use any stream-specific data, including <videoanchor name="media-data">media data</videoanchor>, not provided via the <var>init data</var>.</p>
</li>
- <li><p>If the <var>init data</var> indicates a default URL relevant to <var title="true">keySystem</var>, let <var title="true">default URL</var> be that URL.</p></li>
+ <li><p>If the <var>init data</var> indicates a default URL, let <var title="true">default URL</var> be that URL. The URL may be validated and/or normalized.</p></li>
</ol>
</li>
<li><p>Let the <var title="true">session ID</var> be a unique <a href="#session-id">Session ID</a> string. <span class="non-normative">It may be obtained from <var title="true">cdm</var>.</span></p></li>
@@ -520,7 +520,7 @@
<li><p>If a message exchange is required:</p>
<ol>
<li><p>Let <var title="true">request</var> be a request generated by the <a href="#cdm">CDM</a> based on the <var title="true">session data</var>.</p></li>
- <li><p>If the <var title="true">session data</var> indicates a destination URL for the request, let <var title="true">destination URL</var> be that URL.</p></li>
+ <li><p>If the <var title="true">session data</var> indicates a destination URL for the request, let <var title="true">destination URL</var> be that URL. The URL may be validated and/or normalized.</p></li>
</ol>
</li>
</ol>
@@ -705,7 +705,7 @@
<li><p>If another message needs to be sent to the server, execute the following steps:</p>
<ol>
<li><p>Let <var title="true">request</var> be that message.</p></li>
- <li><p>If there is a specific destination URL for the message, let <var title="true">destination URL</var> be that URL.</p></li>
+ <li><p>If there is a specific destination URL for the message, let <var title="true">destination URL</var> be that URL. The URL may be validated and/or normalized.</p></li>
</ol>
</li>
</ol>
@@ -887,17 +887,17 @@
</dd>
<dt><var title="">event</var> . <coderef>destinationURL</coderef></dt>
<dd>
- <p>Returns the URL to send the <coderef>message</coderef> to.</p>
+ <p>Returns the URL to which the <coderef>message</coderef> should be sent.</p>
</dd>
</dl>
<div class="impl">
<p>The <codedfn>initDataType</codedfn> attribute contains a string indicating the <a href="#initialization-data-type">initialization data type</a> specific to the event. The format of the <coderef>initData</coderef> will vary according to the <coderef>initDataType</coderef>.</p>
<p>The <codedfn>initData</codedfn> attribute contains <a href="#initialization-data">Initialization Data</a> specific to the event.</p>
<p>The <codedfn>message</codedfn> attribute contains a message from the CDM. Messages are Key System-specific. <span class="non-normative">In most cases, it should be sent to a key server.</span></p>
- <p>The <codedfn>destinationURL</codedfn> is the URL to send the <coderef>message</coderef> to.
- An application <em>may</em> override this.
- <span class="non-normative">In some cases, it may have been provided by the <videoanchor name="media-data">media data</videoanchor>.</span>
+ <p>The <codedfn>destinationURL</codedfn> is the URL to which the <coderef>message</coderef> should be sent.
It may be null.
+ An application <em>may</em> choose not to send the message to this URL.
+ Implementations may validate and/or normalize the URL, which could result in a value that is different from the original or null. Applications should not assume that the value of this attribute will be identical across implementations.
</p>
</div>
@@ -1210,9 +1210,9 @@
<div class="issue"><div class="issue-title"><span>Issue 5</span></div>Note: This section is not final and review is welcome.</div>
<p>Key system implementations must consider initialization data, key data and media data as potential attack vectors and must take care to safely parse, decrypt etc. initialization data, key data and media data. User Agents may want to validate data before passing it to the CDM, especially if the CDM does not run in the same (sandboxed) context as the DOM (i.e. rendering). </p>
- <p>User Agents should treat key data and media data as untrusted content and use appropriate safeguards to mitigate any associated threats.</p>
+ <p>User Agents should treat media data, key data, URLs, and any other data from the application as untrusted content and use appropriate safeguards to mitigate any associated threats.</p>
<p>User Agents are responsible for providing users with a secure way to browse the web. Since User Agents may integrate with third party CDM implementations, CDM implementers must provide sufficient information and controls to user agent implementers to enable them to properly asses the security implications of integrating with the Key System.</p>
- <p>Note: unsandboxed CDMs (or CDMs that use platform features) and UAs that use them must be especially careful in all areas of security, including parsing of key and media data, etc. due to the potential for compromises to provide access to OS/platform features, interact with or run as root, access drivers, kernel, firmware, hardware, etc., all of which may not be written to be robust against hostile software or web-based attacks. Additionally, CDMs may not be updated with security fixes as frequently, especially when part of the OS, platform or hardware.</p>
+ <p>Note: Unsandboxed CDMs (or CDMs that use platform features) and UAs that use them must be especially careful in all areas of security, including parsing of key and media data, etc. due to the potential for compromises to provide access to OS/platform features, interact with or run as root, access drivers, kernel, firmware, hardware, etc., all of which may not be written to be robust against hostile software or web-based attacks. Additionally, CDMs may not be updated with security fixes as frequently, especially when part of the OS, platform or hardware.</p>
</div>
<h2 id="privacy">7. Privacy Considerations</h2>