23733 2013-11-05 20:37:03 +0000 Consider prohibiting support of active content by CDMs 2013-12-12 23:34:58 +0000 1 1 1 Unclassified HTML WG Encrypted Media Extensions unspecified PC All RESOLVED FIXED P2 normal --- 1 watsonm adrianba mike pal public-html-media public-html-bugzilla oldest_to_newest 95829 0 watsonm 2013-11-05 20:37:03 +0000 https://www.w3.org/Bugs/Public/show_bug.cgi?id=22909 discusses the security implications of active content [SECURITY GLOSSARY] in keymessages, initialization data and media data. Unless anyone objects, it might be simpler to prohibit support of such content by CDMs. [SECURITY GLOSSARY] Shirey, R., Internet Security Glossary, Version 2, RFC 4949, August 2007, IETF. 95834 1 pal 2013-11-06 01:03:38 +0000 I think the term "executable software" is vague under "active content" in [SECURITY GLOSSARY]. Aren't PDF files essentially programs, for instance? Where does one draw the line? 97552 2 adrianba 2013-12-12 23:34:58 +0000 I have updated this paragraph in the spec to avoid the term active content. In general, browsers need to treat this data as untrusted and take appropriate measures. https://dvcs.w3.org/hg/html-media/rev/ced285c99703