Summary: The EME spec [1] states that EME should only be usable from a secure origin (i.e. on a domain being served over HTTPS). Currently Gecko's implementation works on insecure origins (i.e. sites served over unencrypted HTTP). To bring our implementation in line with the spec, we're going to remove support for EME on non-secure origins.
Sites using EME that are not using secure origins should switch to HTTPS as soon as possible. Chrome has just removed support for insecure EME in Chrome 58, their most recent release. Motivation: EME makes use of proprietary CDMs that have access to persistent storage and that may transmit identifiers to DRM license servers. Requiring secure origin and transport makes it harder for the CDM to be attacked by others on the channel. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1322517 Standard: https://www.w3.org/TR/encrypted-media/ Platform coverage: This will affect everywhere that we support EME; Windows, MacOS, Linux, Android. Estimated target date: TBD. Hopefully we can ship this by the end of 2017. Our telemetry [2] indicates that about 18% of EME use is still on insecure origins. We're shipping a deprecation warning in the WebConsole in Firefox 55, and given that Chrome have removed this in their latest release I expect we should see migration of sites using EME to HTTPS. Once our telemetry indicates that use of EME on insecure origins is sufficiently rare, we will go ahead and remove support for EME on insecure origins. [1] https://www.w3.org/TR/encrypted-media/#privacy-secureorigin [2] https://mzl.la/2rs9maH _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
