[html5] r5411 - [giow] (0) Oops, don't leak subtitles from cross-origin videos.

Fri Sep 3 13:51:36 PDT 2010

Author: ianh
Date: 2010-09-03 13:51:34 -0700 (Fri, 03 Sep 2010)
New Revision: 5411

Modified:
   complete.html
   index
   source
Log:
[giow] (0) Oops, don't leak subtitles from cross-origin videos.

Modified: complete.html
===================================================================

--- complete.html	2010-09-03 20:36:54 UTC (rev 5410)
+++ complete.html	2010-09-03 20:51:34 UTC (rev 5411)
@@ -25344,10 +25344,18 @@
 
      <dd>
 
-      <p><a href=#queue-a-task>Queue a task</a> to run the <a href=#steps-to-expose-a-media-resource-specific-timed-track>steps to expose a
+      <p>If the <a href=#media-resource>media resource</a>'s <a href=#origin>origin</a> is
+      the <a href=#same-origin>same origin</a> as the <a href=#media-element>media element</a>'s
+      <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, <a href=#queue-a-task>queue a
+      task</a> to run the <a href=#steps-to-expose-a-media-resource-specific-timed-track>steps to expose a
       media-resource-specific timed track</a> with the relevant
-      data.</p>
+      data.</p> <!-- CORS -->
 
+      <p class=note>Cross-origin files do not expose their subtitles
+      in the DOM, for security reasons. However, user agents may still
+      provide the user with access to such data in their user
+      interface.</p>
+
      </dd>
 <!--TT-->
 

Modified: index
===================================================================
--- index	2010-09-03 20:36:54 UTC (rev 5410)
+++ index	2010-09-03 20:51:34 UTC (rev 5411)
@@ -25324,10 +25324,18 @@
 
      <dd>
 
-      <p><a href=#queue-a-task>Queue a task</a> to run the <a href=#steps-to-expose-a-media-resource-specific-timed-track>steps to expose a
+      <p>If the <a href=#media-resource>media resource</a>'s <a href=#origin>origin</a> is
+      the <a href=#same-origin>same origin</a> as the <a href=#media-element>media element</a>'s
+      <code><a href=#document>Document</a></code>'s <a href=#origin>origin</a>, <a href=#queue-a-task>queue a
+      task</a> to run the <a href=#steps-to-expose-a-media-resource-specific-timed-track>steps to expose a
       media-resource-specific timed track</a> with the relevant
-      data.</p>
+      data.</p> <!-- CORS -->
 
+      <p class=note>Cross-origin files do not expose their subtitles
+      in the DOM, for security reasons. However, user agents may still
+      provide the user with access to such data in their user
+      interface.</p>
+
      </dd>
 <!--TT-->
 

Modified: source
===================================================================
--- source	2010-09-03 20:36:54 UTC (rev 5410)
+++ source	2010-09-03 20:51:34 UTC (rev 5411)
@@ -27356,10 +27356,18 @@
 
      <dd>
 
-      <p><span>Queue a task</span> to run the <span>steps to expose a
+      <p>If the <span>media resource</span>'s <span>origin</span> is
+      the <span>same origin</span> as the <span>media element</span>'s
+      <code>Document</code>'s <span>origin</span>, <span>queue a
+      task</span> to run the <span>steps to expose a
       media-resource-specific timed track</span> with the relevant
-      data.</p>
+      data.</p> <!-- CORS -->
 
+      <p class="note">Cross-origin files do not expose their subtitles
+      in the DOM, for security reasons. However, user agents may still
+      provide the user with access to such data in their user
+      interface.</p>
+
      </dd>
 <!--START w3c-html--><!--TT-->
 


