Disallow calling navigator.requestMediaKeySystemAccess() from cross-origin iframes
Categories
(Core :: Audio/Video, enhancement, P3)
Tracking
()
People
(Reporter: ehsan.akhgari, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: site-compat)
Allowing access to EME from third-party contexts allows the extraction of the supported media key systems, which can be a fingerprinting vector. Chrome disallows this access by default, we should probably do the same.
See this spec issue: https://github.com/w3c/encrypted-media/issues/364.
:Ehsan, do you know if we have any prior art around feature policy? This file on the spec github makes it look like it's a Chromium specific thing, and I'm wondering if we have anything already in central that we could reference here.
Reporter | ||
Comment 2•5 years ago
|
||
Yes, see bug 1572461 about our latest position on feature policy and what we are planning to implement. Specifically I don't think we want to implement the FP specific parts of that issue. (I've CCed Anne here so that he can correct me if my understanding is wrong!)
Comment 3•5 years ago
|
||
As feature policy is not available yet I think we have a dependency here.
Updated•5 years ago
|
Comment 4•4 years ago
|
||
Note that enough of Feature Permissions Policy has shipped at this point for EME to make use of it.
Updated•4 years ago
|
Updated•2 years ago
|
Description
•