Disallow calling navigator.requestMediaKeySystemAccess() from cross-origin iframes
Categories
(Core :: Audio/Video, enhancement, P3)
Tracking
()
People
(Reporter: ehsan.akhgari, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: site-compat)
Allowing access to EME from third-party contexts allows the extraction of the supported media key systems, which can be a fingerprinting vector. Chrome disallows this access by default, we should probably do the same.
See this spec issue: https://github.com/w3c/encrypted-media/issues/364.
:Ehsan, do you know if we have any prior art around feature policy? This file on the spec github makes it look like it's a Chromium specific thing, and I'm wondering if we have anything already in central that we could reference here.
|
Reporter | |
Comment 2•5 years ago
|
||
Yes, see bug 1572461 about our latest position on feature policy and what we are planning to implement. Specifically I don't think we want to implement the FP specific parts of that issue. (I've CCed Anne here so that he can correct me if my understanding is wrong!)
|
||
Comment 3•5 years ago
|
||
As feature policy is not available yet I think we have a dependency here.
|
||
Updated•5 years ago
|
|
||
Comment 4•4 years ago
|
||
Note that enough of Feature Permissions Policy has shipped at this point for EME to make use of it.
|
|
||
Updated•4 years ago
|
|
||
Updated•2 years ago
|
Description
•