This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
https://www.w3.org/Bugs/Public/show_bug.cgi?id=22909 discusses the security implications of active content [SECURITY GLOSSARY] in keymessages, initialization data and media data. Unless anyone objects, it might be simpler to prohibit support of such content by CDMs. [SECURITY GLOSSARY] Shirey, R., Internet Security Glossary, Version 2, RFC 4949, August 2007, IETF.
I think the term "executable software" is vague under "active content" in [SECURITY GLOSSARY]. Aren't PDF files essentially programs, for instance? Where does one draw the line?
I have updated this paragraph in the spec to avoid the term active content. In general, browsers need to treat this data as untrusted and take appropriate measures. https://dvcs.w3.org/hg/html-media/rev/ced285c99703