Design Review #671

#671: EME MediaKeySessionClosedReason

Opened Aug 27, 2021

Ya ya yawm TAG!

I'm requesting a TAG review of EME MediaKeySessionClosedReason.

The current EME spec says:

"the CDM may close a session at any point, such as when the session is no longer needed or when system resources are lost."

However, there's no way to specify the exact reason for session closure. In some cases, this is part of normal user flow, e.g. user close laptop lid to put the device into sleep mode, where the player should resume playback. In some other cases, this is due to some unrecoverable fatal error.

This proposal updates the closed attribute on MediaKeySession to provide a MediaKeySessionClosedReason so that the JavaScript player can handle session closure differently based on the reasons.

Explainer¹ (minimally containing user needs and example code): https://github.com/w3c/encrypted-media/issues/473
Specification URL: https://w3c.github.io/encrypted-media/#dom-mediakeysessionclosedreason
Tests: media/encrypted-media/encrypted-media-session-closed-event.html
Security and Privacy self-review²: https://github.com/w3c/encrypted-media/issues/473#issuecomment-907509842
GitHub repo (if you prefer feedback filed there): https://github.com/w3c/encrypted-media
Primary contacts (and their relationship to the specification):
- Xiaohan Wang (@xhwang-chromium, Google Inc.)
- Joey Parrish (@joeyparrish, Google Inc.) - editor
- Greg Freedman (@gregwfreedman, Netflix Inc.) - editor
Organization(s)/project(s) driving the specification: W3C Media WG: https://www.w3.org/media-wg/
Key pieces of existing multi-stakeholder review or discussion of this specification:
- Spec discussion: https://github.com/w3c/encrypted-media/issues/473
- W3C Media Working Group meeting discussion: https://lists.w3.org/Archives/Public/public-media-wg/2020Sep/0004.html
External status/issue trackers for this specification (publicly visible, e.g. Chrome Status):
- https://github.com/w3c/encrypted-media/issues/473
- https://www.chromestatus.com/feature/5632124143009792

Further details:

I have reviewed the TAG's Web Platform Design Principles
Relevant time constraints or deadlines: I'd like to ship this feature by default in Chromium M96.
The group where the work on this specification is currently being done: https://www.w3.org/media-wg/
The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): https://www.w3.org/media-wg/
Major unresolved issues with or opposition to this specification: None
This work is being funded by: N/A

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a comment in this issue and @-notify @xhwang-chromium

Discussions

2021-09-Gethen

Minutes

Sangwhan: it's a very small thing. On mediakeysession which is an object inside eme there is an attribute called 'closed' and this adds a reason to why it was closed

Dan: what's the user need? In service of need? Is this shown to the user?

Sangwhan: usually to do error handling for the application to reinitialise the eme stack. You would have a couple of errors.. it's an enum, internalerror, closedbyapplication, etc, comes back from the content decryption module. Also resourceevicted. The content decryption module dpeends on hardware for example and ran out of memory and had to release the resources or stuff like that. This would be information usable in terms of the video streaming application knowing what to do next if the decryption failed or if it's closed. This doesn't add more damage.

Dan: I've marked it as small delta..

Sangwhan: there's a tricky bit.. I think EME doesn't have a working group?

Dan: Media Working Group

Yves: yes

Sangwhan: I'm okay with this. Can write a closing comment. I'm not sure if this is an actual attack... the state change can leak information across origins. But there's a bunch of other stuff that could trigger this so I'm not sure if it's a big issue.

Dan: One of the things we kept talkinga bout intially with the EME review was that it can leak information to you because the content decryption module is a black box it can have access to information like your location and that can..

Sangwhan: it is not supposed to but yes

Dan: that lead to the whole discussion about wanting some kind of statement a waiver about security and privacy experts auditing how these systems work and that should be considered an exception, they should not be prosecuted under the digital millenium copyright act, and there ended up not being that covenant, it wasn't part of EME even though TAG recommended that it should, is there something similar to that where this nformation could reveal something about the user across origin, or is thsi purely mechanics?

Dan: Also worth noting our feedback from 2017 on this issue.

Sangwhan: imagine the gamepad API.. some implementations broadcast the input to all tabs because it's an event. In this event you could listen to gamepad input and match up a user by listening to the gamepad events, if a user presses right multiple origins will get that. This is the same kind of mechanism that will happen. Multiple things are using the EME stack and the CDN goes bonkers and everything shuts down for the same reason it could identify the user, I'm not sure if that's a realistic or useful attack surface.

Dan: maybe ask that?

Sangwhan: I don't think it's preventable. It's in 2.1 in S&P - information will be exposed indirectly to some websites. [reads] I don't think it's a huge issue to be honest.

(Setting aside all debate about whether or not EME should exist in the first place, since the cat is out of the box. For that bit, please refer to our [feedback from 2017](https://github.com/w3c/encrypted-media/issues/389).)

Given that this is a small incremental change to an existing spec that improves developer ergonomics, we are happy to see this move forward. Thanks for bringing this to our attention.

Noticed that the EME spec doesn't have a S&P section - think it would be worth adding something there (not just for this feature, but for EME as a whole) if possible.