[html5] r2840 - [] (0) Fill in media element security/privacy section.

whatwg at whatwg.org whatwg at whatwg.org
Thu Feb 19 01:14:18 PST 2009 

Author: ianh
Date: 2009-02-19 01:14:17 -0800 (Thu, 19 Feb 2009)
New Revision: 2840

Modified:
   index
   source
Log:
[] (0) Fill in media element security/privacy section.

Modified: index
===================================================================
--- index	2009-02-19 08:16:25 UTC (rev 2839)
+++ index	2009-02-19 09:14:17 UTC (rev 2840)
@@ -19833,15 +19833,53 @@
      <td>
   </table><h5 id=security-and-privacy-considerations><span class=secno>4.8.10.14 </span>Security and privacy considerations</h5>
 
-  <p class=XXX>Talk about making sure interactive media files
-  (e.g. SVG) don't have access to the container DOM (XSS potential);
-  talk about not exposing any sensitive data like metadata from tracks
-  in the media files (intranet snooping risk)</p>
+  <p>The main security and privacy implications of the
+  <code><a href=#video>video</a></code> and <code><a href=#audio>audio</a></code> elements come from the
+  ability to embed media cross-origin. There are two directions that
+  threats can flow: from hostile content to a victim page, and from a
+  hostile page to victim content.</p>
 
+  <hr><p>If a victim page embeds hostile content, the threat is that the
+  content might contain scripted code that attempts to interact with
+  the <code>Document</code> that embeds the content. To avoid this,
+  user agents must ensure that there is no access from the content to
+  the embedding page. In the case of media content that uses DOM
+  concepts, the embedded content must be treated as if it was in its
+  own unrelated <a href=#top-level-browsing-context>top-level browsing context</a>.</p>
 
+  <p class=example>For instance, if an SVG animation was embedded in
+  a <code><a href=#video>video</a></code> element, the user agent would not give it
+  access to the DOM of the outer page. From the perspective of scripts
+  in the SVG resource, the SVG file would appear to be in a lone
+  top-level browsing context with no parent.</p>
 
+  <hr><p>If a hostile page embeds victom content, the threat is that the
+  embedding page could obtain information from the content that it
+  would not otherwise have access to. The API does expose some
+  information: the existence of the media, its type, its duration, its
+  size, and the performance characteristics of its host. Such
+  information is already potentially problematic, but in practice the
+  same information can more or less be obtained using the
+  <code><a href=#the-img-element>img</a></code> element, and so it has been deemed acceptable.</p>
 
+  <p>However, significantly more sensitive information could be
+  obtained if the user agent further exposes metadata within the
+  content such as subtitles or chapter titles. This version of the API
+  does not expose such information. Future extensions to this API will
+  likely reuse a mechanism such as CORS to check that the embedded
+  content's site has opted in to exposing such information. <a href=#refsCORS>[CORS]</a></p>
 
+  <p class=example>An attacker could trick a user running within a
+  corporate network into visiting a site that attempts to load a video
+  from a previously leaked location on the corporation's intranet. If
+  such a video included confidential plans for a new product, then
+  being able to read the subtitles would present a confidentiality
+  breach.</p>
+
+
+
+
+
   <h4 id=the-canvas-element><span class=secno>4.8.11 </span>The <dfn id=canvas><code>canvas</code></dfn> element</h4>
 
   <dl class=element><dt>Categories</dt>

Modified: source
===================================================================
--- source	2009-02-19 08:16:25 UTC (rev 2839)
+++ source	2009-02-19 09:14:17 UTC (rev 2840)
@@ -21484,15 +21484,58 @@
 
   <h5>Security and privacy considerations</h5>
 
-  <p class="XXX">Talk about making sure interactive media files
-  (e.g. SVG) don't have access to the container DOM (XSS potential);
-  talk about not exposing any sensitive data like metadata from tracks
-  in the media files (intranet snooping risk)</p>
+  <p>The main security and privacy implications of the
+  <code>video</code> and <code>audio</code> elements come from the
+  ability to embed media cross-origin. There are two directions that
+  threats can flow: from hostile content to a victim page, and from a
+  hostile page to victim content.</p>
 
+  <hr>
 
+  <p>If a victim page embeds hostile content, the threat is that the
+  content might contain scripted code that attempts to interact with
+  the <code>Document</code> that embeds the content. To avoid this,
+  user agents must ensure that there is no access from the content to
+  the embedding page. In the case of media content that uses DOM
+  concepts, the embedded content must be treated as if it was in its
+  own unrelated <span>top-level browsing context</span>.</p>
 
+  <p class="example">For instance, if an SVG animation was embedded in
+  a <code>video</code> element, the user agent would not give it
+  access to the DOM of the outer page. From the perspective of scripts
+  in the SVG resource, the SVG file would appear to be in a lone
+  top-level browsing context with no parent.</p>
 
+  <hr>
 
+  <p>If a hostile page embeds victom content, the threat is that the
+  embedding page could obtain information from the content that it
+  would not otherwise have access to. The API does expose some
+  information: the existence of the media, its type, its duration, its
+  size, and the performance characteristics of its host. Such
+  information is already potentially problematic, but in practice the
+  same information can more or less be obtained using the
+  <code>img</code> element, and so it has been deemed acceptable.</p>
+
+  <p>However, significantly more sensitive information could be
+  obtained if the user agent further exposes metadata within the
+  content such as subtitles or chapter titles. This version of the API
+  does not expose such information. Future extensions to this API will
+  likely reuse a mechanism such as CORS to check that the embedded
+  content's site has opted in to exposing such information. <a
+  href="#refsCORS">[CORS]</a></p>
+
+  <p class="example">An attacker could trick a user running within a
+  corporate network into visiting a site that attempts to load a video
+  from a previously leaked location on the corporation's intranet. If
+  such a video included confidential plans for a new product, then
+  being able to read the subtitles would present a confidentiality
+  breach.</p>
+
+
+
+
+
   <h4>The <dfn id="canvas"><code>canvas</code></dfn> element</h4>
 
   <dl class="element">

More information about the Commit-Watchers mailing list