annevk
commented
8 years ago Yeah, I thought the only new leak was duration.
Open foolip opened 8 years ago
annevk
commented
8 years ago Yeah, I thought the only new leak was duration.
domenic
commented
5 years ago This seems to be the same as https://www.w3.org/Bugs/Public/show_bug.cgi?id=27989, so I will move that bug here.
/cc @whatwg/security since I know people using esoteric browser features to bust through CORS is a hot topic these days.
https://html.spec.whatwg.org/multipage/embedded-content.html#concept-media-load-resource
For text tracks, we have "If the media data is CORS-same-origin, run the steps to expose a media-resource-specific text track with the relevant data." with the note "Cross-origin videos do not expose their subtitles, since that would allow attacks such as hostile sites reading subtitles from confidential videos on a user's intranet."
Exposing the label and language of audio/video tracks also seems problematic.
@jernoble