Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EME Extension: HDCP Policy Check #243

Open
SingingTree opened this issue Jan 13, 2020 · 3 comments
Open

EME Extension: HDCP Policy Check #243

SingingTree opened this issue Jan 13, 2020 · 3 comments
Labels
under review venue: W3C CG Specifications in W3C Community Groups (e.g., WICG, Privacy CG)

Comments

@SingingTree
Copy link

Request for Mozilla Position on an Emerging Web Specification

Other information

This check is currently implemented in Gecko, but is behind a pref. I'm seeking more input on what we'd like to see before exposing the functionality without a pref being set.

@dbaron
Copy link
Contributor

dbaron commented Jan 13, 2020

w3ctag/design-reviews#323 might have a few useful thoughts here.

@dbaron dbaron added the venue: W3C CG Specifications in W3C Community Groups (e.g., WICG, Privacy CG) label Jan 13, 2020
@dbaron
Copy link
Contributor

dbaron commented Jan 13, 2020

How much will the results of this API vary between Firefox users, and what would cause the variation?

@hsivonen
Copy link
Member

How much will the results of this API vary between Firefox users, and what would cause the variation?

Hmm. This API has become worse for fingerprinting since I last paid attention: Instead of exposing a boolean, there are now more outcomes. The explainer shows 10 distinct outcomes of which Firefox and Chromium presently know about 9.

The source of variation would be the combination of operating system, GPU driver(s), GPU(s), and screen(s). One might argue that WebGL already exposes a hopeless number of fingerprinting bits that correlate with these.

In the WICG issue, it's said: "Several open-access license servers exist for the purposes of testing and integration, and their CORS headers allow access from "*". So this becomes all sites running in a secure context. Any HTTPS-hosted site can do a license exchange with these open license servers."

So this means that even without this API, these fingerprinting bits are available to the Web, but this API makes the bits available with less effort and with out a (potentially detectable and blockable) HTTP round trip to an open-access license server.

I'll ping you off-GitHub about reducing the fingerprinting bits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
under review venue: W3C CG Specifications in W3C Community Groups (e.g., WICG, Privacy CG)
Projects
Status: Unscreened
Development

No branches or pull requests

3 participants