Primary eng (and PM) emails
Following our powerful feature policy, we intend to remove support for EME APIs over non-secure contexts at the end of Q1 2017.
Support for non-secure contexts has been removed from EME v1 spec and will not be in the upcoming Proposed Recommendation (PR) or subsequent final Recommendation. The API was included in the original intent-to-deprecate and listed on the Chromium wiki page starting in Feb 2015, and has been showing a deprecation message since May 2015. If approved, the deprecation message will be updated to include the concrete timeframe.
Some usages of EME expose DRM implementations that are not open source, involve access to persistent unique identifiers, and/or run unsandboxed or with privileged access. The risks are increased when exposed via insecure HTTP, because they could be attacked by anyone on the channel. In addition, for implementations that require explicit permissions, permission for an insecure HTTP site can be exploited.
This will break a small number of media sites who do not transition to HTTPS by the time of removal. As these sites transition to HTTPS, the risk becomes lower. We have a good communication channel with many of the sites currently using EME in non-secure contexts, which makes the risk much lower.
EME support in Chrome: since M42 (unprefixed)
Firefox: deprecation plans.
Usage information from UseCounter
EME over insecure origins: 0.002% of page loads (link).
EME over secure origins: 0.009% of page loads (link)
OWP launch tracking bug
https://crbug.com/672605 for EME
https://crbug.com/520765 for broader removal of old powerful features on insecure origins.
Entry on the feature dashboard
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.