On Thu, Jan 29, 2015 at 06:57:30AM +0900, Mike Hommey wrote: > So, in practice, because the h264 code is not sandboxed on some setups, > we're disabling it so that vp8, which is not sandboxed either, is used > instead. We have about the same amount of control over openh264 and > vp8 code bases. What makes the difference?
This is more a question for the WebRTC module leadership, but: assuming the attacker can choose the codec (do we always secure the media content at least as much as the script that set up the session?), the set of vulnerabilities is the union of the codecs' vulnerabilities, and adding a codec can only add more of them. Possibly also relevant: we already prefer VP8 over H.264 on desktop. --Jed _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
