Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[] (0) Fill in media element security/privacy section.
git-svn-id: http://svn.whatwg.org/webapps@2840 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
Hixie committed Feb 19, 2009
1 parent 60e5ff6 commit c9a6209
Show file tree
Hide file tree
Showing 2 changed files with 89 additions and 8 deletions.
46 changes: 42 additions & 4 deletions index
Expand Up @@ -19833,10 +19833,48 @@ interface <dfn id=cuerangecallback>CueRangeCallback</dfn> {
<td>
</table><h5 id=security-and-privacy-considerations><span class=secno>4.8.10.14 </span>Security and privacy considerations</h5>

<p class=XXX>Talk about making sure interactive media files
(e.g. SVG) don't have access to the container DOM (XSS potential);
talk about not exposing any sensitive data like metadata from tracks
in the media files (intranet snooping risk)</p>
<p>The main security and privacy implications of the
<code><a href=#video>video</a></code> and <code><a href=#audio>audio</a></code> elements come from the
ability to embed media cross-origin. There are two directions that
threats can flow: from hostile content to a victim page, and from a
hostile page to victim content.</p>

<hr><p>If a victim page embeds hostile content, the threat is that the
content might contain scripted code that attempts to interact with
the <code>Document</code> that embeds the content. To avoid this,
user agents must ensure that there is no access from the content to
the embedding page. In the case of media content that uses DOM
concepts, the embedded content must be treated as if it was in its
own unrelated <a href=#top-level-browsing-context>top-level browsing context</a>.</p>

<p class=example>For instance, if an SVG animation was embedded in
a <code><a href=#video>video</a></code> element, the user agent would not give it
access to the DOM of the outer page. From the perspective of scripts
in the SVG resource, the SVG file would appear to be in a lone
top-level browsing context with no parent.</p>

<hr><p>If a hostile page embeds victom content, the threat is that the
embedding page could obtain information from the content that it
would not otherwise have access to. The API does expose some
information: the existence of the media, its type, its duration, its
size, and the performance characteristics of its host. Such
information is already potentially problematic, but in practice the
same information can more or less be obtained using the
<code><a href=#the-img-element>img</a></code> element, and so it has been deemed acceptable.</p>

<p>However, significantly more sensitive information could be
obtained if the user agent further exposes metadata within the
content such as subtitles or chapter titles. This version of the API
does not expose such information. Future extensions to this API will
likely reuse a mechanism such as CORS to check that the embedded
content's site has opted in to exposing such information. <a href=#refsCORS>[CORS]</a></p>

<p class=example>An attacker could trick a user running within a
corporate network into visiting a site that attempts to load a video
from a previously leaked location on the corporation's intranet. If
such a video included confidential plans for a new product, then
being able to read the subtitles would present a confidentiality
breach.</p>



Expand Down
51 changes: 47 additions & 4 deletions source
Expand Up @@ -21484,10 +21484,53 @@ interface <dfn>CueRangeCallback</dfn> {

<h5>Security and privacy considerations</h5>

<p class="XXX">Talk about making sure interactive media files
(e.g. SVG) don't have access to the container DOM (XSS potential);
talk about not exposing any sensitive data like metadata from tracks
in the media files (intranet snooping risk)</p>
<p>The main security and privacy implications of the
<code>video</code> and <code>audio</code> elements come from the
ability to embed media cross-origin. There are two directions that
threats can flow: from hostile content to a victim page, and from a
hostile page to victim content.</p>

<hr>

<p>If a victim page embeds hostile content, the threat is that the
content might contain scripted code that attempts to interact with
the <code>Document</code> that embeds the content. To avoid this,
user agents must ensure that there is no access from the content to
the embedding page. In the case of media content that uses DOM
concepts, the embedded content must be treated as if it was in its
own unrelated <span>top-level browsing context</span>.</p>

<p class="example">For instance, if an SVG animation was embedded in
a <code>video</code> element, the user agent would not give it
access to the DOM of the outer page. From the perspective of scripts
in the SVG resource, the SVG file would appear to be in a lone
top-level browsing context with no parent.</p>

<hr>

<p>If a hostile page embeds victom content, the threat is that the
embedding page could obtain information from the content that it
would not otherwise have access to. The API does expose some
information: the existence of the media, its type, its duration, its
size, and the performance characteristics of its host. Such
information is already potentially problematic, but in practice the
same information can more or less be obtained using the
<code>img</code> element, and so it has been deemed acceptable.</p>

<p>However, significantly more sensitive information could be
obtained if the user agent further exposes metadata within the
content such as subtitles or chapter titles. This version of the API
does not expose such information. Future extensions to this API will
likely reuse a mechanism such as CORS to check that the embedded
content's site has opted in to exposing such information. <a
href="#refsCORS">[CORS]</a></p>

<p class="example">An attacker could trick a user running within a
corporate network into visiting a site that attempts to load a video
from a previously leaked location on the corporation's intranet. If
such a video included confidential plans for a new product, then
being able to read the subtitles would present a confidentiality
breach.</p>



Expand Down

0 comments on commit c9a6209

Please sign in to comment.