23733 – Consider prohibiting support of active content by CDMs

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 23733 - Consider prohibiting support of active content by CDMs

Summary: Consider prohibiting support of active content by CDMs

Status:	RESOLVED FIXED

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	Encrypted Media Extensions (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P2 normal
Target Milestone:	---
Assignee:	Adrian Bateman [MSFT]
QA Contact:	HTML WG Bugzilla archive list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-11-05 20:37 UTC by Mark Watson
Modified:	2013-12-12 23:34 UTC (History)
CC List:	3 users (show)

See Also:

Attachments

Description Mark Watson 2013-11-05 20:37:03 UTC

https://www.w3.org/Bugs/Public/show_bug.cgi?id=22909 discusses the security implications of active content [SECURITY GLOSSARY] in keymessages, initialization data and media data.

Unless anyone objects, it might be simpler to prohibit support of such content by CDMs.

[SECURITY GLOSSARY] Shirey, R., Internet Security Glossary, Version 2, RFC 4949, August 2007, IETF.

Comment 1 Pierre Lemieux 2013-11-06 01:03:38 UTC

I think the term "executable software" is vague under "active content" in [SECURITY GLOSSARY]. Aren't PDF files essentially programs, for instance? Where does one draw the line?

Comment 2 Adrian Bateman [MSFT] 2013-12-12 23:34:58 UTC

I have updated this paragraph in the spec to avoid the term active content. In general, browsers need to treat this data as untrusted and take appropriate measures.
https://dvcs.w3.org/hg/html-media/rev/ced285c99703