forked from w3c/encrypted-media
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathencrypted-media-respec.html
3039 lines (2759 loc) · 202 KB
/
encrypted-media-respec.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Encrypted Media Extensions</title>
<script src="https://www.w3.org/Tools/respec/respec-w3c-common" class="remove"></script>
<script src="encrypted-media.js" class="remove"></script>
<script class="remove">
var respecConfig = {
// specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
specStatus: "ED",
//publishDate: "2014-XX-YY",
previousMaturity: "WD",
previousPublishDate: "2014-08-28",
// if this is a LCWD, uncomment and set the end of its review period
// lcEnd: "2009-08-05",
// the specification's short name, as in http://www.w3.org/TR/short-name/
shortName: "encrypted-media",
// if there a publicly available Editor's Draft, this is the link
edDraftURI: "https://w3c.github.io/encrypted-media/",
// editors, add as many as you like
// only "name" is required
editors: [
{ name: "David Dorwin", url: "",
company: "Google Inc.", companyURL: "https://www.google.com/" },
{ name: "Jerry Smith", url: "",
company: "Microsoft Corporation", companyURL: "https://www.microsoft.com/" },
{ name: "Mark Watson", url: "",
company: "Netflix Inc.", companyURL: "https://www.netflix.com/" },
{ name: "Adrian Bateman (until May 2014)", url: "",
company: "Microsoft Corporation", companyURL: "https://www.microsoft.com/" },
],
otherLinks: [
{ key: "Repository",
href: "https://github.com/w3c/encrypted-media/"}
],
emeDefGroupName: "encrypted-media",
emeUnusedGroupNameExcludeList: ["eme-references-from-registry"],
// name of the WG
wg: "HTML Working Group",
// URI of the public WG page
wgURI: "http://www.w3.org/html/wg/",
// name (without the @w3c.org) of the public mailing to which comments are due
wgPublicList: "public-html-media",
// URI of the patent status for this WG, for Rec-track documents
// !!!! IMPORTANT !!!!
// This is important for Rec-track documents, do not copy a patent URI from a random
// document unless you know what you're doing. If in doubt ask your friendly neighbourhood
// Team Contact.
wgPatentURI: "https://www.w3.org/2004/01/pp-impl/40318/status",
noIDLIn: true,
scheme: "https",
preProcess: [ encryptedMediaPreProcessor ],
// Empty definitions for objects declared in the document are here to
// prevent error messages from being displayed for references to these objects.
definitionMap: {},
postProcess: [ encryptedMediaPostProcessor ],
localBiblio: {
"EME-REGISTRY": {
title: "Encrypted Media Extensions Stream Format and Initialization Data Format Registry",
href: "initdata-format-registry.html",
authors: ["David Dorwin", "Adrian Bateman", "Mark Watson"],
publisher: "W3C",
},
"JWS": {
authors: ["M. Jones", "J. Bradley", "N. Sakimura"],
date: "25 September 2014",
href: "https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-33",
publisher: "IETF",
status: "Internet Draft",
title: "JSON Web Signature (JWS)",
}
}
};
</script>
<!-- script to register bugs -->
<!-- Disabled unless/until it supports GitHub issues.
<script src="https://w3c.github.io/webcomponents/assets/scripts/bug-assist.js"></script>
<meta name="bug.product" content="HTML WG"/>
<meta name="bug.component" content="Encrypted Media Extensions"/>
-->
<link rel="stylesheet" href="eme.css"/>
</head>
<body>
<section id="abstract">
<p>This proposal extends <a def-id="htmlmediaelement"></a> [[!HTML5]] providing APIs to control playback of protected content.</p>
<p>The API supports use cases ranging from simple clear key decryption to high value video (given an appropriate user agent implementation).
License/key exchange is controlled by the application, facilitating the development of robust playback applications supporting a range of content decryption and protection technologies.</p>
<p>This specification does not define a content protection or Digital Rights Management system. Rather, it defines a common API that may be used to discover, select and interact with
such systems as well as with simpler content encryption systems. Implementation of Digital Rights Management is not required for compliance with this specification: only the
Clear Key system is required to be implemented as a common baseline.</p>
<p>The common API supports a simple set of content encryption capabilities, leaving application functions such as authentication and authorization to page authors. This is achieved by
requiring content protection system-specific messaging to be mediated by the page rather than assuming out-of-band communication between the encryption system and a license
or other server.</p>
</section>
<section id="sotd">
<p>The working groups maintains <a href="https://github.com/w3c/encrypted-media/issues">a list of all bug reports that the editors have not yet tried to address</a>; there are also open bugs in the <a href="https://www.w3.org/brief/MjY5">previous bug tracker</a>. This draft highlights some of the pending issues that are still to be discussed in the working group. No decision has been taken on the outcome of these issues including whether they are valid.</p>
<p>Implementors should be aware that this specification is not stable. <strong>Implementors who are not taking part in the discussions are likely to find the specification changing out from under them in incompatible ways.</strong> Vendors interested in implementing this specification before it eventually reaches the Candidate Recommendation stage should join the mailing list mentioned below and take part in the discussions.</p>
<p class="issue"><a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=20944">Bug 20944</a> - The specification should do more to encourage/ensure CDM-level interoperability.</p>
<p class="issue">This specification contains sections for describing <a href="#security">security</a> and <a href="#privacy">privacy</a> considerations. These sections are not final and review is welcome.</p>
<!-- This will be populated when addressing https://www.w3.org/Bugs/Public/show_bug.cgi?id=23827.
<p>The following features are <strong>at risk</strong> and may be removed due to lack of implementation.
</p>
<ul>
<li><a def-id=""></a></li>
</ul>
-->
</section>
<section id="introduction" class="informative">
<h2>Introduction</h2>
<p>
This proposal allows JavaScript to select content protection mechanisms, control license/key exchange, and implement custom license management algorithms.
It supports a wide range of use cases without requiring client-side modifications in each user agent for each use case.
This also enables content providers to develop a single application solution for all devices.
A generic stack implemented using the proposed APIs is shown below.
This diagram shows an example flow: other combinations of API calls and events are possible.
</p>
<img src="stack_overview.svg" alt="A generic stack implemented using the proposed APIs" height="700"></img>
</section>
<section id="definitions">
<h3>Definitions</h3>
<dl>
<dt id="cdm">Content Decryption Module (CDM)</dt>
<dd>
<p>Content Decryption Module (CDM) is a generic term for the client component that provides the functionality, including decryption, for one or more <a def-id="keysystems"></a>.</p>
<p class="note">Implementations may or may not separate the implementations of CDMs or treat them as separate from the user agent.
This is transparent to the API and application.</p>
<p>All messages and communication to and from the CDM, such as between the CDM and a license server, MUST be passed through the user agent.
The CDM MUST NOT make direct out-of band network requests.
All messages and communication other than those covered in the following paragraph MUST be passed through the application via the APIs defined in this specification.
Specifically, all communication that contains application-, origin-, or content-specific information or is sent to a URL specified by the application or based on its origin, MUST pass through the APIs.
This includes all license exchange messages.
</p>
<p>Application- and origin-independent messages related to per-client initialization (or reinitialization) that are sent to a fixed non-application-dependent URL MUST be handled by the user agent and MUST NOT be passed to the application via the APIs.
The related message exchange and operations MUST be performed by the user agent via the user agent's network stack.
</p>
<p class="note">For example, an initialization, provisioning, or individualization process for a client device that involves communicating with a server hosted by the user agent or CDM vendor and does not contain application- or origin-specific information MUST be performed by the user agent without involving the application.
The same applies to reinitialization, reprovisioning, or reindividualization.
</p>
<p>For implementations that support per-origin initialization, such messages MUST be passed to the application via the APIs.
Such messages MUST NOT contain non-origin-specific per-client information, such as a <a def-id="distinctive-identifier"></a>.
As with all other uses of the APIs, responses passed to the CDM MUST NOT contain executable code.
</p>
<p class="note">To preserve the privacy properties of per-origin initialization, applications and key system servers should not defer initialization to a non-origin-specific server.
See <a href="#privacy-individualization">Individualization</a>.
</p>
</dd>
<dt id="key-system">Key System</dt>
<dd>
<p>A Key System is a generic term for a decryption mechanism and/or content protection provider.
Key System strings provide unique identification of a Key System.
They are used by the user agent to select a <a def-id="cdm"></a> and identify the source of a key-related event.
User agents MUST support the <a href="#common-key-systems">Common Key Systems</a>.
User agents MAY also provide additional CDMs with corresponding Key System strings.
</p>
<p>A Key System string is always a reverse domain name.
Key System strings are compared using case-sensitive matching. It is RECOMMENDED that CDMs use simple lower-case ASCII key system strings.</p>
<p class="note">For example, "com.example.somesystem".</p>
<p class="note">
Within a given system ("somesystem" in the example), subsystems may be defined as determined by the key system provider.
For example, "com.example.somesystem.1" and "com.example.somesystem.1_5".
Key System providers should keep in mind that these will be used for comparison and discovery, so they should be easy to compare and the structure should remain reasonably simple.
</p>
</dd>
<dt id="key-session">Key Session</dt>
<dd>
<p>A Key Session, or simply Session, provides a context for message exchange with the CDM as a result of which key(s) are made available to the <a def-id="cdm"></a>.
Sessions are embodied as <a>MediaKeySession</a> objects.
Each Key session is associated with a single instance of <a def-id="initialization-data"></a> provided in the <a def-id="generateRequest"></a> call.
</p>
<p>Each Key Session is associated with a single <a>MediaKeys</a> object, and only media element(s) associated with that object may access key(s) associated with the session.
Other <a>MediaKeys</a> objects, <a def-id="cdm"></a> instances, and media elements MUST NOT access the key session or use its key(s).
Key sessions and the keys they contain are no longer usable by the CDM for decryption when the <a def-id="session-close-algorithm">session is closed</a>, including when the <a>MediaKeySession</a> object is destroyed.
</p>
<p><a def-id="key-id">Key IDs</a> MUST be unique within a session.</p>
</dd>
<dt id="session-id">Session ID</dt>
<dd>
<p>A Session ID is a unique string identifier generated by the <a def-id="cdm"></a> that can be used by the application to identify <a>MediaKeySession</a> objects.</p>
<p>A new Session ID is generated each time the user agent and CDM successfully create a new session.</p>
<p>Each Session ID SHALL be unique within the browsing context in which it was created.
Session IDs for <a def-id="persistent-license-session"></a> and <a def-id="persistent-release-message-session"></a> sessions MUST be unique within the <a def-id="origin"></a> over time, including across browsing sessions.
</p>
<p class="note">The underlying content protection protocol does not necessarily need to support Session IDs.</p>
</dd>
<dt id="decryption-key">Key</dt>
<dd>
<p>Unless otherwise stated, key refers to a decryption key that can be used to decrypt blocks within <a def-id="media-data"></a>.
Each such key is uniquely identified by a <a def-id="key-id"></a>.
A key is associated with the <a href="#key-session">session</a> used to provide it to the CDM. (The same key may be present in multiple sessions.)
Such keys MUST only be provided to the <a def-id="cdm"></a> via an <a def-id="update"></a> call. (They may later be loaded by <a def-id="load"></a> as part of the stored session data.)
</p>
<p>A key is considered <em>usable</em> if the CDM is certain the key is currently usable to decrypt <a def-id="media-data"></a></p>
<p class="note">For example, a key is not usable if its license has expired.</p>
</dd>
<dt id="decryption-key-id">Key ID</dt>
<dd>
<p>A <a href="#decryption-key">key</a> is associated with a key ID, which uniquely identifies a key.
The container specifies the ID of the key that can decrypt a block or set of blocks within the <a def-id="media-data"></a>.
<a def-id="initialization-data"></a> MAY contain key ID(s) to identify the keys that are needed to decrypt the media data.
However, there is no requirement that Initialization Data contain any or all key IDs used in the <a def-id="media-data"></a> or <a def-id="media-resource"></a>.
<a href="#license">Licenses</a> provided to the CDM associate each key with a key ID so the <a def-id="cdm"></a> can select the appropriate key when decrypting an encrypted block of media data.
</p>
</dd>
<dt id="known-key">Known Key</dt>
<dd>
<p>A key is considered to be known to a session if the CDM's implementation of the session contains any information - specifically the <a def-id="key-id"></a> - about it, regardless of whether the actual <a href="#decryption-key">key</a> is usable or its value is known.
Known keys are exposed via the <a def-id="keyStatuses"></a> attribute.
</p>
<p>Keys are considered known even after they become unusable, such as due to expiration.
Keys only become unknown when they are explicitly removed from a session.
</p>
<p class="note">For example, a key could become unknown if an <a def-id="update"></a> call provides a new license that does not include the key and includes instructions to replace the license(s) that previously contained the key.</p>
</dd>
<dt id="license">License</dt>
<dd>
<p>A license is key system-specific state information that includes one or more <a href="#decryption-key">key(s)</a> - each associated with a <a def-id="key-id"></a> - and potentially other information about key usage.</p>
</dd>
<dt id="initialization-data">Initialization Data</dt>
<dd>
<p class="note">
<a def-id="keysystems"></a> usually require a block of initialization data containing information about the stream to be decrypted before they can construct a license request message.
This block could be a simple key or content ID or a more complex structure containing such information.
It should always allow unique identification of the key(s) needed to decrypt the content.
This initialization information MAY be obtained in some application-specific way or provided with the <a def-id="media-data"></a>.
</p>
<p>
Initialization Data is a generic term for container-specific data that is used by a <a def-id="cdm"></a> to generate a license request.
Initialization data found with the <a def-id="media-data"></a> is provided to the application in the <a def-id="encrypted-event-initdata-attribute"></a> attribute of the <a def-id="encrypted"></a> event.
</p>
<p>
The format of the initialization data depends upon the type of container, and containers MAY support more than one format
of initialization data. The <dfn id="initialization-data-type">Initialization Data Type</dfn> is a string that indicates what
format the initialization data is provided in. Initialization Data Type strings are always matched case-sensitively. It is
RECOMMENDED that Initialization Data Type strings are lower-case ASCII strings.
</p>
<p>
The Encrypted Media Extensions Stream Format and Initialization Data Format Registry [[EME-REGISTRY]]
provides the mapping from initialization data type string to the specification for each format.
</p>
<p>Initialization Data MUST be a fixed value for a given set of stream(s) or <a def-id="media-data"></a>.
It MUST only contain information related to the keys required to play a given set of stream(s) or <a def-id="media-data"></a>.
It MUST NOT contain application data, client-specific data, user-specific data, <a href="#decryption-key">key(s)</a>, or executable code.
</p>
<p>Initialization Data SHOULD NOT contain Key System-specific data or values.
Implementations MUST support the common formats defined [[EME-REGISTRY]] for each <a def-id="initialization-data-type"></a> they support.
</p>
<p class="note">
Use of proprietary formats/contents is discouraged, and supporting or using <em>only</em> proprietary formats is strongly discouraged.
Proprietary formats should only be used with pre-existing content or on pre-existing devices that do not support the common formats.
</p>
</dd>
<dt id="distinctive-identifier">Distinctive Identifier</dt>
<dd>
<p>A distinctive identifier is a piece of data, implication of the possession of a piece of data, or an observable behavior or timing for which all of the following criteria hold:</p>
<ul>
<li><p>It is not shared across a large population of users or devices.</p></li>
<li><p>It is exposed outside the client device or exposed to the application such that the application has the opportunity to send it (even if in encrypted form if decryptable outside the device) or information about it outside the client device.</p></li>
<li><p>It is used in more than one session or <!-- TODO: Get clarity on this: -->is potentially used in one persistent session across the point of persistence.</p></li>
</ul>
<p class="note">A distinctive identifier is typically unique to a user or device, but an identifier does not need to be strictly unique to be distinctive.
For example, an identifier shared among a small number of users could still be distinctive.
</p>
<div class="note">
<p>Examples of distinctive identifiers include but are not limited to:</p>
<ul>
<li><p>A string of bytes that is included in key requests and that is different from the string included by other devices.</p></li>
<li><p>A public key included in key requests that is different from the public keys included in the requests by other devices.</p></li>
<li><p>Demonstration of possession of a private key (e.g. by signing some data) that other devices do not have.</p></li>
<li><p>An identifier for such a key.</p></li>
</ul>
<p>Examples of things that are not distinctive identifiers:</p>
<ul>
<li><p>A public key shared among all copies of a given CDM version if the installed base is large.</p></li>
<li><p>A nonce that is unique but used in only one <!-- TODO: Get clarity on this: "non-persistent" --> session.</p></li>
<li><p>Device-unique keys used in attestations between, for example, the video pipeline and the CDM when the CDM does not let these attestations further flow to the application and instead makes a new attestation on its own using a key that does not constitute a distinctive identifier.</p></li>
</ul>
</div>
<p class="note">The source of the identifier does not affect whether it is distinctive.
For example, an identifier that is permanently part of the client device, contained in the CDM, generated on the client, or generated as part of some individualization or other provisioning process is considered distinctive if it meets the criteria above.
</p>
</dd>
<dt id="cross-origin">Cross Origin Limitations</dt>
<dd>
<p>During playback, embedded media data is exposed to script in the embedding <a def-id="origin"></a>.
In order for the API to provide <a def-id="initialization-data"></a> in the <a def-id="encrypted"></a> event, <a def-id="media-data"></a> MUST be <a def-id="cors-same-origin"></a> with the embedding page.
If <a def-id="media-data"></a> is cross-origin with the embedding document, authors SHOULD use the <a def-id="media-crossorigin"></a> attribute
on the <a def-id="htmlmediaelement"></a> and CORS headers on the <a def-id="media-data"></a> response to make it <a def-id="cors-same-origin"></a>.
</p>
</dd>
<dt id="mixed-content">Mixed Content Limitations</dt>
<dd>
<p>During playback, embedded media data is exposed to script in the embedding <a def-id="origin"></a>.
In order for the API to provide <a def-id="initialization-data"></a> in the <a def-id="encrypted"></a> event, <a def-id="media-data"></a> MUST NOT be Mixed Content [[!MIXED-CONTENT]].
</p>
</dd>
</dl>
</section>
<section>
<h2>Obtaining Access to Key Systems</h2>
<p>This section defines the mechanism for obtaining access to a key system.
The inclusion of capabilities in the request also enables feature detection.
</p>
<p class="issue">This section is new and may change.</p>
<section>
<h2><a>Navigator</a> Extension: <code>requestMediaKeySystemAccess()</code></h2>
<dl title="partial interface Navigator" class="idl">
<dt>Promise<MediaKeySystemAccess> requestMediaKeySystemAccess()</dt>
<dd>
<p>Requests access to the specified <a def-id="keysystem"></a>.
When <code>supportedConfigurations</code> is specified, the configuration specified by at least one of its elements must be supported.
The resulting <a>MediaKeySystemAccess</a> will correspond to the first such elment.
</p>
<p>Any permission checks or user interaction, such as a prompt, SHOULD be performed before resolving the promise.</p>
<p>If the <code>keySystem</code> is not supported or not allowed (in one at least one of the <code>supportedConfigurations</code>, if specified), the promise is rejected.
Otherwise, it is resolved with a new <a>MediaKeySystemAccess</a> object.
</p>
<dl class='parameters'>
<dt>DOMString keySystem</dt>
<dd>
The <a def-id="keysystem"></a> for which access is being requested.
</dd>
<dt>sequence<<a>MediaKeySystemConfiguration</a>> supportedConfigurations</dt>
<dd>
A sequence of <a>MediaKeySystemConfiguration</a> configurations to try in order.
The first element with a satisfiable configuration will be used.
</dd>
</dl>
<ol class="method-algorithm">
<!-- TODO: Convert all parameters to use <code>. -->
<li><p>If <var>keySystem</var> is the empty string, return a promise rejected with <a def-id="new-domexception-named"></a> <a def-id="InvalidAccessError"></a>.</p></li>
<li><p>If <var>supportedConfigurations</var> is empty, return a promise rejected with <a def-id="new-domexception-named"></a> <a def-id="InvalidAccessError"></a>.</p></li>
<li><p>Let <var>document</var> be the calling context's <a def-id="document-concept"></a>.</p></li>
<li><p>If the result of running the <a def-id="may-document-use-powerful-features-algorithm"></a> algorithm [[!MIXED-CONTENT]] on <var>document</var> is not <code>Allowed</code>:
<ul style="list-style-type:none">
<li>
<p class="issue">
<a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332">Bug 26332</a> - The availability of this API on unauthenticated origins is an open issue. It has been proposed
that such access not be allowed at all or be allowed only in specific circumstances. It is likely that there will be scenarios where access from an unauthenticated origin
is not allowed. It is also an open issue whether and how the impact of serving audio/video media over secure transport can be mitigated.
</p>
</li>
</ul>
</p>
</li>
<li><p>Let <var>origin</var> be the <a def-id="origin"></a> of <var>document</var>.</p></li>
<li><p>Let <var>promise</var> be a new promise.</p></li>
<li><p>Run the following steps asynchronously:</p>
<ol>
<li><p>If <var>keySystem</var> is not one of the <a def-id="keysystems"></a> supported by the user agent, reject <var>promise</var> with <a def-id="new-domexception-named"></a> <a def-id="NotSupportedError"></a>. String comparison is case-sensitive.</p></li>
<li><p>Let <var>implementation</var> be the implementation of <var>keySystem</var>.</p></li>
<li><p>For each value in <code>supportedConfigurations</code>:</p>
<ol>
<li><p>Let <var>candidate configuration</var> be the value.</p></li>
<li><p>Let <var>supported configuration</var> be the result of executing the <a def-id="get-supported-configuration-algorithm"></a> algorithm on <var>implementation</var>, <var>candidate configuration</var>, and <var>origin</var>.
<li><p>If <var>supported configuration</var> is not <code>null</code>, run the following steps:</p>
<ol>
<li>
<p>Let <var>access</var> be a new <a>MediaKeySystemAccess</a> object, and initialize it as follows:</p>
<ol>
<li><p>Set the <a def-id="keySystem-attribute"></a> attribute to <var>keySystem</var>.</p></li>
<li><p>Let <var>supported configuration object</var> be a new <a>MediaKeySystemConfiguration</a> object populated with the values in <var>supported configuration</var>.</p>
<var>supported configuration object</var> is a non-strict subset of <var>candidate configuration</var>.<p>
</li>
<li><p>Let the <var>configuration</var> value be <var>supported configuration object</var>.</p></li>
<li><p>Let the <var>cdm implementation</var> value be <var>implementation</var>.</p></li>
</ol>
</li>
<li><p>Resolve <var>promise</var> with <var>access</var> and abort these steps.</p></li>
</ol>
</li>
</ol>
</li>
<li><p>Reject <var>promise</var> with <a def-id="new-domexception-named"></a> <a def-id="NotSupportedError"></a>.</p>
<p class="note"><code>keySystem</code> was not supported/allowed or none of the configurations in <code>supportedConfigurations</code> were supported/allowed.</p>
</li>
</ol>
</li>
<li><p>Return <var>promise</var>.</p></li>
</ol>
</dd>
</dl>
<section>
<h3>Algorithms</h3>
<section>
<h2>Get Supported Configuration</h2>
<p>Given a <a def-id="keysystems"></a> implementation <var>implementation</var>, <a>MediaKeySystemConfiguration</a> <var>candidate configuration</var>, and <var>origin</var>, this algorithm returns a supported configuration or <code>null</code> as appropriate.</p>
<p class="note">Unrecognized dictionary members in <var>candidate configuration</var> are ignored per [[WebIDL]] and will never reach this algorithm. Thus, they cannot be considered as part of the configuration.</p>
<ol>
<li><p>Let <var>accumulated configuration</var> be empty.</p></li>
<li><p>If <var>candidate configuration</var>'s <a def-id="option-initDataTypes"></a> attribute is not empty, run the following steps:</p>
<ol>
<li><p>Let <var>supported types</var> be empty.</p></li>
<li><p>For each value in <var>candidate configuration</var>'s <a def-id="option-initDataTypes"></a> attribute:</p>
<ol>
<li><p>Let <var>initDataType</var> be the value.</p></li>
<li><p>If <var>initDataType</var> is the empty string, return <code>null</code>.</p></li><!-- Invalid input. -->
<li><p>If the <var>implementation</var> supports generating requests based on <var>initDataType</var>, add <var>initDataType</var> to <var>supported types</var>.</p></li>
</ol>
</li>
<li><p>If <var>supported types</var> is empty, return <code>null</code>. String comparison is case-sensitive.</p></li>
<li><p>Add <var>supported types</var> to <var>accumulated configuration</var>.</p></li>
</ol>
</li>
<!-- Table of results for MediaKeysRequirement members based on implementation capabilities:
|| Implementation Capabilities |
Input Value || Only Supported | Only Not Supported | Both |
===========================================================================================
"required" || "required" | Return null | "required" |
"optional" || "required" | "not-allowed" | Depends on combination |
"not-allowed" || Return null | "not-allowed" | "not-allowed" |
-->
<li><p>Follow the steps for the value of <var>candidate configuration</var>'s <a def-id="option-distinctiveIdentifier"></a> attribute from the following list:</p>
<dl class="switch">
<dt><a def-id="requirement-required"></a></dt>
<dd>
<p>If the <var>implementation</var> does not support a persistent <a def-id="distinctive-identifier"></a> in combination with <var>accumulated configuration</var>, return <code>null</code>.</p>
</dd>
<dt><a def-id="requirement-optional"></a></dt>
<dd>
<p>Continue.<!-- Will be updated below. --></p>
</dd>
<dt><a def-id="requirement-not-allowed"></a></dt>
<dd>
<p>If the <var>implementation</var> requires a <a def-id="distinctive-identifier"></a> in combination with <var>accumulated configuration</var>, return <code>null</code>.</p>
</dd>
</dl>
</li>
<li><p>Add <a def-id="option-distinctiveIdentifier"></a> and the value <var>candidate configuration</var>'s corresponding attribute to <var>accumulated configuration</var>.
<li><p>Follow the steps for the value of <a def-id="option-persistentState"></a> from the following list:</p>
<dl class="switch">
<dt><a def-id="requirement-required"></a></dt>
<dd>
<p>If the <var>implementation</var> does not support persisting state in combination with <var>accumulated configuration</var>, return <code>null</code>.</p>
<p class="note">Otherwise, the <var>implementation</var> MUST support creating <a def-id="persistent-license-session"></a> and/or <a def-id="persistent-release-message-session"></a> sessions.</p>
</dd>
<dt><a def-id="requirement-optional"></a></dt>
<dd>
<p>Continue.<!-- Will be updated below. --></p>
</dd>
<dt><a def-id="requirement-not-allowed"></a></dt>
<dd>
<p>If the <var>implementation</var> requires persisting state in combination with <var>accumulated configuration</var>, return <code>null</code>.</p>
</dd>
</dl>
</li>
<li><p>Add <a def-id="option-persistentState"></a> and the value <var>candidate configuration</var>'s corresponding attribute to <var>accumulated configuration</var>.
<li><p>If <var>candidate configuration</var>'s <a def-id="option-videoCapabilities"></a> attribute is not empty, run the following steps:</p>
<ol>
<li><p>Let <var>video capabilities</var> be the result of executing the <a def-id="get-supported-capabilities-for-media-type-algorithm"></a> algorithm on Video, <var>candidate configuration</var>'s <a def-id="option-videoCapabilities"></a> attribute, and <var>accumulated configuration</var>.</p></li>
<li><p>If <var>video capabilities</var> is <code>null</code>, return <code>null</code>.</p></li><!-- Video capabilities were specified, but none were supported. -->
<li><p>Add <var>video capabilities</var> to <var>accumulated configuration</var>.</p></li>
</ol>
</li>
<li><p>If <var>candidate configuration</var>'s <a def-id="option-audioCapabilities"></a> attribute is not empty, run the following steps:</p>
<ol>
<li><p>Let <var>audio capabilities</var> be the result of executing the <a def-id="get-supported-capabilities-for-media-type-algorithm"></a> algorithm on Audio, <var>candidate configuration</var>'s <a def-id="option-audioCapabilities"></a> attribute, and <var>accumulated configuration</var>.</p></li>
<li><p>If <var>audio capabilities</var> is <code>null</code>, return <code>null</code>.</p></li><!-- Audio capabilities were specified, but none were supported. -->
<li><p>Add <var>audio capabilities</var> to <var>accumulated configuration</var>.</p></li>
</ol>
</li>
<!-- Replace "optional" values in the combined configuration before checking permissions and for the value exposed by MediaKeySystemAccess. -->
<li><p>If <var>accumulated configuration</var>'s <a def-id="option-distinctiveIdentifier"></a> value is <a def-id="requirement-optional"></a>, follow the steps for the first matching condition from the following list:</p>
<dl class="switch">
<dt>If the <var>implementation</var> requires a <a def-id="distinctive-identifier"></a> for any of the combinations in <var>accumulated configuration</var></dt>
<dd>
<p>Change <var>accumulated configuration</var>'s <a def-id="option-distinctiveIdentifier"></a> value to <a def-id="requirement-required"></a>.</p>
</dd>
<dt>Otherwise</dt>
<dd>
<p>Change <var>accumulated configuration</var>'s <a def-id="option-distinctiveIdentifier"></a> value to <a def-id="requirement-not-allowed"></a>.</p>
</dd>
</dl>
</li>
<li><p>If <var>accumulated configuration</var>'s <a def-id="option-persistentState"></a> value is <a def-id="requirement-optional"></a>, follow the steps for the first matching condition from the following list:</p>
<dl class="switch">
<dt>If the <var>implementation</var> requires persisting state for any of the combinations in <var>accumulated configuration</var></dt>
<dd>
<p>Change <var>accumulated configuration</var>'s <a def-id="option-persistentState"></a> value to <a def-id="requirement-required"></a>.</p>
<p class="note">The <var>implementation</var> MUST support creating <a def-id="persistent-license-session"></a> and/or <a def-id="persistent-release-message-session"></a> sessions.</p>
</dd>
<dt>Otherwise</dt>
<dd>
<p>Change <var>accumulated configuration</var>'s <a def-id="option-persistentState"></a> value to <a def-id="requirement-not-allowed"></a>.</p>
</dd>
</dl>
</li>
<li><p>If <var>implementation</var> in the configuration specified by the combination of the values in <var>accumulated configuration</var> is not supported or not allowed in the <var>origin</var>, return <code>null</code>.</p>
<p class="note">In this step, "supported" includes the implementation being available for use when this algorithm returns, not just user agent support for such an implementation.</p>
<p>If <var>accumulated configuration</var>'s <a def-id="option-persistentState"></a> value is <a def-id="requirement-required"></a>, follow the steps for the first matching condition from the following list:</p>
<dl class="switch">
<dt>If the <a def-id="distinctive-identifier"></a> is <a href="#per-origin-identifiers">unique per-origin</a> and <a href="#allow-identifiers-cleared">clearable</a></dt>
<dd>
<p>If there is no persisted consent covering <var>accumulated configuration</var> for the the <var>origin</var>, it is RECOMMENDED that the user be prompted for consent to use <a def-id="distinctive-identifier">Distinctive Identifier(s)</a>.</p>
</dd>
<dt>Otherwise</dt>
<dd>
<p>Prompt the user for consent to use <a def-id="distinctive-identifier">Distinctive Identifier(s)</a>.</p>
</dd>
</dl>
<p class="note">A previous consent for a prompt that did not include use of a <a def-id="distinctive-identifier"></a> (with similar properties) would not be considered as covering this <var>accumulated configuration</var>, which implies use of such an identifier.</p>
<p class="note">The "unique per-origin" and "clearable" conditions cannot be false in a compliant implementation because implementations MUST <a href="#per-origin-identifiers">use per-origin identifiers</a> and <a href="#allow-identifiers-cleared">allow the user to clear identifier</a>.</p>
</li>
<li><p>Return <var>accumulated configuration</var>.</p></li>
</ol>
</section>
<section>
<h2>Get Supported Capabilities for Media Type</h2>
<p>Given a <var>media type</var> (Audio or Video), <a>MediaKeySystemMediaCapability</a> sequence <var>capabilities</var>, and <var>partial configuration</var>, this algorithm returns a list of supported configurations for this media type or <code>null</code> as appropriate.</p>
<ol>
<li><p>Let <var>accumulated capabilities</var> be <var>partial configuration</var>.</p></li>
<li><p>Let <var>media type capabilities</var> be empty.</p></li>
<li><p>For each value in <var>capabilities</var>:</p>
<ol>
<li><p>Let <var>contentType</var> be the value's <a def-id="capability-contentType"></a> member.</p></li>
<li><p>Let <var>robustness</var> be the value's <a def-id="capability-robustness"></a> member.</p></li>
<li><p>If <var>contentType</var> is the empty string, return <code>null</code>.</p></li><!-- Invalid input. -->
<li><p>If <var>contentType</var> is an invalid or unrecognized MIME type, continue to the next iteration.</p></li>
<li><p>Let <var>configuration</var> be empty.</p></li>
<li><p>Let <var>container</var> be the container type specified by <var>contentType</var>.</p></li>
<li><p>If the user agent does not support <var>container</var>, continue to the next iteration. The case-sensitivity of string comparisons is determined by the appropriate RFC.</p>
<p class="note">Per RFC 6838 [[RFC6838]], "Both top-level type and subtype names are case-insensitive."</p>
</li>
<li><p>Add <var>container</var> to <var>configuration</var>.</p></li>
<li><p>Let <var>parameters</var> be the RFC 6381 [[!RFC6381]] parameters, if any, specified by <var>contentType</var>.</p></li>
<li><p>If <var>parameters</var> is not empty, run the following steps:</p>
<ol>
<li><p>If the user agent does not recognize one or more <var>parameters</var>, continue to the next iteration.</p></li>
<li><p>Let <var>media types</var> be the set of media types specified by <var>parameters</var>. It MAY be empty. The case-sensitivity of string comparisons is determined by the appropriate RFC or other specification.</p>
<p class="note">For example, all of the codecs. Case-sensitive string comparison is RECOMMENDED because RFC 6381 [[RFC6381]] says, "Values are case sensitive" for some formats.</p>
</li>
<li><p>Add all <var>media types</var> to <var>configuration</var>.</p></li>
</ol>
</li>
<li><p>If <var>contentType</var> is not a <var>media type</var> type, continue to the next iteration.</p>
<p class="note">For example, if <var>media type</var> is Audio and the top-level type is not "audio" or <var>media types</var> contains non-audio codecs.</p>
</li>
<li><p>If <var>robustness</var> is not the empty string, run the following steps:</p>
<ol>
<li><p>If <var>robustness</var> is an unrecognized value or not supported by <var>implementation</var>, continue to the next iteration. String comparison is case-sensitive.</p></li>
<li><p>Add <var>robustness</var> to <var>configuration</var>.</p></li>
</ol>
</li>
<li><p>If the user agent and <var>implementation</var> do not support playback of encrypted <a def-id="media-data"></a> as specified by <var>configuration</var>, including all <var>media types</var>, in combination with <var>accumulated capabilities</var>, continue to the next iteration.</p>
<p class="note">This configuration (content type and robustness) must be supported with all previously added supported configurations.</p>
</li>
<li><p>Add <var>configuration</var> to <var>media type capabilities</var>.</p></li>
<li><p>Add <var>configuration</var> to <var>accumulated capabilities</var>.</p>
<p class="note">This step ensures that combinations of audio/video capabilities are always checked instead of only checking combinations of video capabilities when checking an audio capbility.</p>
</li>
</ol>
</li>
<li><p>If <var>media type capabilities</var> is empty, return <code>null</code>.</p>
<p class="note">None of the <a>MediaKeySystemMediaCapability</a> elements in <var>capabilities</var> is supported in combination with <var>partial configuration</var>.</p>
</li>
<li><p>Return <var>media type capabilities</var>.</p></li>
</ol>
</section>
</section>
</section>
<section>
<h2><a>MediaKeySystemConfiguration</a> dictionary</h2>
<dl title="enum MediaKeysRequirement" class="idl">
<dt>required</dt>
<dd>
<dl>
<dt>When used in a call to <a def-id="requestMediaKeySystemAccess"></a></dt>
<dd>The returned object MUST support this feature.</dd>
<dt>When returned by a <a>MediaKeySystemAccess</a> object</dt>
<dd>CDM instances created by the object MAY use this feature.</dd>
</dl>
<dt>optional</dt>
<dd>
<dl>
<dt>When used in a call to <a def-id="requestMediaKeySystemAccess"></a></dt>
<dd>The returned object MAY support and use this feature.</dd>
<dt>When returned by a <a>MediaKeySystemAccess</a> object</dt>
<dd>This value cannot and MUST NOT be present in such an object.</dd>
</dl>
<dt>not-allowed</dt>
<dd>
<dl>
<dt>When used in a call to <a def-id="requestMediaKeySystemAccess"></a></dt>
<dd>The returned object MUST function without using this feature and MUST NOT use it at any time.</dd>
<dt>When returned by a <a>MediaKeySystemAccess</a> object</dt>
<dd>CDM instances created by the object MUST NOT use this feature.</dd>
</dl>
</dd>
</dl>
<dl title="dictionary MediaKeySystemConfiguration" class='idl'>
<dt>sequence<DOMString> initDataTypes</dt>
<dd>
A list of supported <a def-id="initialization-data-type"></a> names.
The <a def-id="initialization-data-type"></a> capability of this object is considered supported if the list is empty or contains one or more values that are supported with all other members (as determined by the algorithm).
Values in the sequence MUST not be the empty string.
</dd>
<dt>sequence<MediaKeySystemMediaCapability> audioCapabilities</dt>
<dd>
A list of supported audio type and capability pairs.
The audio capability of this object is considered supported if the list is empty or contains one or more values that are supported with all other members (as determined by the algorithm).
When there is a conflict between values, the earlier value will be selected.
</dd>
<dt>sequence<MediaKeySystemMediaCapability> videoCapabilities</dt>
<dd>
A list of supported video type and capability pairs.
The video capability of this object is considered supported if the list is empty or contains one or more values that are supported with all other members (as determined by the algorithm).
When there is a conflict between values, the earlier value will be selected.
</dd>
<dt>MediaKeysRequirement distinctiveIdentifier = "optional"</dt>
<dd>
Whether a persistent <a def-id="distinctive-identifier"></a> is required.
<p>Messages from the CDM, such as <a def-id="message"></a> events, MUST NOT contain a <a def-id="distinctive-identifier"></a>, even in an encrypted form, when this member is <a def-id="requirement-not-allowed">.</a>
</dd>
<dt>MediaKeysRequirement persistentState = "optional"</dt>
<dd>
Whether the ability to persist state is required. This includes session data and any other type of state.
<p class="note">For the purposes of this member, persistent state does not include persistent unique identifiers (<a def-id="distinctive-identifiers"></a>) controlled by the <a def-id="keysystem"></a> implementation. <a def-id="option-distinctiveIdentifier"></a> independently reflects this requirement.</p>
<p>Only <a def-id="temporary-session"></a> sessions may be created when persistent state is not supported.</p>
<p class="note">For <a def-id="temporary-session"></a> sessions, the need and ability to store state is <a def-id="keysystem"></a> implementation-specific and may vary by feature used.</p>
<p class="note">Applications intending to create non-<a def-id="temporary-session"></a> sessions, should set this attribute to <a def-id="requirement-required"></a> when calling <a def-id="requestMediaKeySystemAccess"></a>.</p>
</dd>
</dl>
<p>Implementations SHOULD NOT add members to the this dictionary.
Should member(s) be added, they MUST be of type <a>MediaKeysRequirement</a>, and it is RECOMMENDED that they have default values of <a def-id="requirement-optional"></a> to support the widest range of application and client combinations.
</p>
<p class="note">Dictionary members not recognized by a user agent implementation are ignored per [[WebIDL]] and will not be considered in the <a def-id="requestMediaKeySystemAccess"></a> algorithm.
Should an an application use non-standard dictionary member(s), it MUST NOT rely on user agent implementations rejecting a configuration that includes such dictionary members.
</p>
<p>This dictionary MUST NOT be used to pass state or data to the CDM.</p>
</section>
<section>
<h2><a>MediaKeySystemMediaCapability</a> dictionary</h2>
<dl title="dictionary MediaKeySystemMediaCapability" class='idl'>
<dt>DOMString contentType = ""</dt>
<dd>
The content type.
MUST not be the empty string.
</dd>
<dt>DOMString robustness = ""</dt>
<dd>
The robustness level associated with the content type.
The empty string indicates that any ability to decrypt and decode the content type is acceptable.
</dd>
</dl>
<p>The entire <a def-id="capability-contentType"></a>, including all codecs, must be supported with <a def-id="capability-robustness"></a> in order for the capability represented by this object to be considered supported.</p>
<p class="note">If any of a set of codecs is acceptable, use a separate instances of this dictionary for each codec.</p>
</section>
</section>
<section>
<h2><a>MediaKeySystemAccess</a> Interface</h2>
<p>The MediaKeySystemAccess object provides access to a <a def-id="keysystem"></a>.</p>
<dl title="interface MediaKeySystemAccess" class='idl'>
<dt>readonly attribute DOMString keySystem</dt>
<dd>
Identifies the <a def-id="keysystem"></a> being used.
</dd>
<dt>MediaKeySystemConfiguration getConfiguration()</dt>
<!-- This is a method instead of an attribute because per http://heycam.github.io/webidl/#idl-dictionaries, "Dictionaries must not be used as the type of an attribute or constant." -->
<dd>
<p>Returns the supported combination of configuration options selected by the <a def-id="requestMediaKeySystemAccess"></a> algorithm.
</p>
<p>The returned object is a non-strict subset of the first statisfiable <a>MediaKeySystemConfiguration</a> configurations passed to the <a def-id="requestMediaKeySystemAccess"></a> call that returned the promise that was resolved with this object.
It does not contain values capabilities not specified in that single configuration and thus may not reflect all capabilities of the <a def-id="keysystem"></a> implementation.
All values in the configuration may be used in any combination.
Members of type <a>MediaKeysRequirement</a> reflect whether capability is required for any combination. They will not have the value <a def-id="requirement-optional"></a>.
</p>
<ol class="method-algorithm">
<li><p>Return this object's <var>configuration</var> value.</p></li>
</ol>
</dd>
<dt>Promise<MediaKeys> createMediaKeys()</dt>
<dd>
<p>Creates a new <a>MediaKeys</a> object for <var>keySystem</var>.</p>
<ol class="method-algorithm">
<li><p>Let <var>promise</var> be a new promise.</p></li>
<li><p>Run the following steps asynchronously:</p>
<ol>
<li><p>Load and initialize the <a def-id="keysystem"></a> implementation represented by this object's <var>cdm implementation</var> value if necessary.</p></li>
<li><p>Let <var>instance</var> be a new instance of the <a def-id="keysystem"></a> implementation represented by this object's <var>cdm implementation</var> value.</p></li>
<li><p>If either of the previous two steps failed, reject <var>promise</var> with <a def-id="new-domexception-named"></a> <a def-id="appropriate-error-name"></a>.</p></li>
<li><p>Let <var>configuration</var> be the value of this object's <var>configuration</var> value.</p></li>
<li><p>Let <var>distinctive identifier</var> be the value of <var>configuration</var>'s <a def-id="option-distinctiveIdentifier"></a> member.</p></li>
<li><p>Follow the steps for the value of <var>distinctive identifier</var> from the following list:</p>
<dl class="switch">
<dt><a def-id="requirement-required"></a></dt>
<dd>
Let <var>use distinctive identifier</var> be <code>true</code>.
</dd>
<dt><a def-id="requirement-not-allowed"></a></dt>
<dd>
Let <var>use distinctive identifier</var> be <code>false</code>.
</dd>
</dl>
<p class="note">The value of <var>distinctive identifier</var> cannot be <a def-id="requirement-optional"></a>.</p>
</li>
<li><p>Let <var>persistent state</var> be the value of <var>configuration</var>'s <a def-id="option-persistentState"></a> member.</p></li>
<li><p>Follow the steps for the value of <var>persistent state</var> from the following list:</p>
<dl class="switch">
<dt><a def-id="requirement-required"></a></dt>
<dd>
Let <var>persistent state allowed</var> be <code>true</code>.
</dd>
<dt><a def-id="requirement-not-allowed"></a></dt>
<dd>
Let <var>persistent state allowed</var> be <code>false</code>.
</dd>
</dl>
<p class="note">The value of <var>persistent state</var> cannot be <a def-id="requirement-optional"></a>.</p>
</li>
<li><p>Let <var>media keys</var> be a new <a>MediaKeys</a> object, and initialize it as follows:</p>
<ol>
<li><p>Let the <var>use distinctive identifier</var> value be <var>use distinctive identifier</var>.</p></li>
<li><p>Let the <var>persistent state allowed</var> value be <var>persistent state allowed</var>.</p></li>
<li><p>Let the <var>cdm implementation</var> value be this object's <var>cdm implementation</var> value.</p></li>
<li><p>Let the <var>cdm instance</var> value be <var>instance</var>.</p></li>
</ol>
</li>
<li><p>Resolve <var>promise</var> with <var>media keys</var>.</p></li>
</ol>
</li>
<li><p>Return <var>promise</var>.</p></li>
</ol>
</dd>
</dl>
</section>
<section>
<h2><a>MediaKeys</a> Interface</h2>
<p>The MediaKeys object represents a set of keys that an associated HTMLMediaElement can use for decryption of <a def-id="media-data"></a> during playback.
It also represents a CDM instance.
</p>
<p>For methods that return a promise, all errors are reported asynchronously by rejecting the returned Promise. This includes [[!WebIDL]] type mapping errors.</p>
<p>The steps of an algorithm are always aborted when resolving or rejecting a promise.</p>
<dl title="enum MediaKeySessionType" class="idl">
<dt>temporary</dt>
<dd>
A session for which a record of or data related to the session MUST NOT be persisted.
The application need not worry about managing such storage.
Support for this session type is REQUIRED.
</dd>
<dt>persistent-license</dt>
<dd>
A session for which the license and other data related to the session MAY be persisted.
The session MUST be loadable via its <a def-id="session-id"></a> as long as such data is persisted.
The application is responsible for managing any such storage that may be generated by the CDM.
See <a def-id="session-storage"></a>.
Support for this session type is OPTIONAL.
</dd>
<dt>persistent-release-message</dt>
<dd>
A session for which a proof of license release and other data related to the session MAY be persisted.
The license and any key(s) it contains SHALL NOT be persisted.
The session MUST be loadable via its <a def-id="session-id"></a> as long as such data is persisted.
The application is responsible for managing any such storage that may be generated by the CDM.
See <a def-id="session-storage"></a>.
Support for this session type is OPTIONAL.
</dd>
</dl>
<dl title="interface MediaKeys" class='idl'>
<dt>MediaKeySession createSession()</dt>
<dd>
<p>Returns a new <a>MediaKeySession</a> object.</p>
<dl class='parameters'>
<dt>optional MediaKeySessionType sessionType = "temporary"</dt>
<dd>
The type of session to create. The session type affects the behavior of the returned object.
</dd>
</dl>
<ol class="method-algorithm">
<li><p>If this object's <var>persistent state allowed</var> value is <code>false</code> and <var>sessionType</var> is not <a def-id="temporary-session"></a>, throw <a def-id="new-domexception-named"></a> <a def-id="NotSupportedError"></a>.</p></li>
<li>
<p>If the <a def-id="keysystem"></a> implementation represented by this object's <var>cdm implementation</var> value does not support <var>sessionType</var>, throw <a def-id="new-domexception-named"></a> <a def-id="NotSupportedError"></a>.</p>
<p class="note">This step cannot fail if <var>sessionType</var> is <a def-id="temporary-session"></a>.</p>
<p class="note">If <var>persistent state allowed</var> value is <code>true</code> at this point, the <var>implementation</var> MUST support <a def-id="persistent-license-session"></a> and/or <a def-id="persistent-release-message-session"></a>.</p>
</li>
<li><p>Let <var>session</var> be a new <a>MediaKeySession</a> object, and initialize it as follows:</p>
<ol>
<li><p>Let the <a def-id="sessionId"></a> attribute be the empty string.</p></li>
<li><p>Let the <a def-id="expiration"></a> attribute be <code>NaN</code>.</p></li>
<li><p>Let the <a def-id="closed"></a> attribute be a new promise.</p></li>
<li><p>Let the <a def-id="keyStatuses"></a> attribute be empty.</p></li>
<li><p>Let the <var>session type</var> value be <var>sessionType</var>.</p></li>
<li><p>Let the <var>uninitialized</var> value be true.</p></li>
<li><p>Let the <var>callable</var> value be false.</p></li>
<li><p>Let the <var>use distinctive identifier</var> value be this object's <var>use distinctive identifier</var>.</p></li>
<li><p>Let the <var>cdm implementation</var> value be this object's <var>cdm implementation</var>.</p></li>
<li><p>Let the <var>cdm instance</var> value be this object's <var>cdm instance</var>.</p></li>
</ol>
</li>
<li><p>Return <var>session</var>.</p></li>
</ol>
</dd>
<dt>Promise<void> setServerCertificate()</dt>
<dd>
<p id="server-certificate">Provides a server certificate to be used to encrypt messages to the license server.</p>
<p>Key Systems that use such certificates MUST also support requesting the certificate from the server via the <a def-id="queue-message-algorithm"></a> algorithm.</p>
<p class="note">This method allows an application to proactively provide a server certificate to implementations that support it to avod the additional round trip should the CDM request it.
It is intended as an optimization, and applications are not required to use it.
</p>
<dl class='parameters'>
<dt>BufferSource serverCertificate</dt>
<dd>
The server certificate.
The contents are <a def-id="keysystem"></a>-specific.
It MUST NOT contain executable code.
</dd>
</dl>
<ol class="method-algorithm">
<li><p>If <var>serverCertificate</var> is an empty array, return a promise rejected with a new <a def-id="new-domexception-named"></a> <a def-id="InvalidAccessError"></a>.</p></li>
<li><p>If the <a def-id="keysystem"></a> implementation represented by this object's <var>cdm implementation</var> value does not support server certificates, return a promise rejected with <a def-id="new-domexception-named"></a> <a def-id="NotSupportedError"></a>.</p></li>
<li><p>Let <var>certificate</var> be a copy of the contents of the <var>serverCertificate</var> parameter.</p></li>
<li><p>Let <var>promise</var> be a new promise.</p></li>
<li><p>Run the following steps asynchronously:</p>
<ol>
<li><p>Use this object's <var>cdm instance</var> to process <var>certificate</var>.</p></li>
<li><p>If the preceding step failed, reject <var>promise</var> with <a def-id="new-domexception-named"></a> <a def-id="appropriate-error-name"></a>.</p></li>
<li><p>Resolve <var>promise</var>.</p></li>
</ol>
</li>
<li><p>Return <var>promise</var>.</p></li>
</ol>
</dd>
</dl>
</section>
<section>
<h2><a>MediaKeySession</a> Interface</h2>
<p>The MediaKeySession object represents a <a href="#key-session">key session</a>.</p>
<p>For methods that return a promise, all errors are reported asynchronously by rejecting the returned Promise. This includes [[!WebIDL]] type mapping errors.</p>
<p>The steps of an algorithm are always aborted when resolving or rejecting a promise.</p>
<dl title="interface MediaKeySession : EventTarget" class='idl'>
<dt>readonly attribute DOMString sessionId</dt>
<dd>
<p>The <a def-id="session-id"></a> for this object and the associated key(s) or license(s).</p>
</dd>
<dt>readonly attribute unrestricted double expiration</dt>
<dd>
<p>The time, in milliseconds since 01 January, 1970 UTC, after which the key(s) in the session will no longer be usable to decrypt <a def-id="media-data"></a>, or <code>NaN</code> if no such time exists, as determined by the CDM.</p>
<p class="note">This value MAY change during the session lifetime, such as when an action triggers the start of a window.</p>
</dd>
<dt>readonly attribute Promise<void> closed</dt>
<dd>
<p>Signals when object becomes closed as a result of the <a def-id="session-close-algorithm"></a> algorithm being run.
This promise can only be fulfilled and is never rejected.</p>
</dd>
<dt>readonly attribute MediaKeyStatusMap keyStatuses</dt>
<dd>
<p>A reference to a read-only map of <a def-id="key-id">key IDs</a> <a href="#known-key">known</a> to the session to the current status of the associated key.
Each entry MUST have a unique key ID.
</p>
<p class="note">The map entries and their values may be updated whenever the event loop spins.
The map can never be inconsistent or partially updated, but it may change between accesses if the event loop spins in between accesses.
Key IDs may be added as the result of a <a def-id="load"></a> or <a def-id="update"></a> call.
Key IDs may be removed as the result of a <a def-id="update"></a> call that removes knowledge of existing keys (or replaces the existing set of keys with a new set).
Key IDs MUST NOT be removed because they became unusable, such as due to expiration. Instead, such keys MUST be given an appropriate status, such as <a def-id="status-expired"></a>.</p>
</dd>
<dt>Promise<void> generateRequest()</dt>
<dd>
<p>Generates a request based on the <var>initData</var>.</p>
<dl class='parameters'>
<dt>DOMString initDataType</dt>
<dd>
The <a def-id="initialization-data-type"></a> of the <var>initData</var>.
</dd>
<dt>BufferSource initData</dt>
<dd>
<a def-id="initialization-data"></a>
</dd>
</dl>
<ol class="method-algorithm">
<li><p>If this object's <var>uninitialized</var> value is false, return a promise rejected with <a def-id="new-domexception-named"></a> <a def-id="InvalidStateError"></a>.</p></li>
<li><p>Let this object's <var>uninitialized</var> be false.</p></li><!-- For simplicity and consistency, this object cannot be reused after any failure. -->
<li><p>If <var>initDataType</var> is the empty string, return a promise rejected with <a def-id="new-domexception-named"></a> <a def-id="InvalidAccessError"></a>.</p></li>
<li><p>If <var>initData</var> is an empty array, return a promise rejected with <a def-id="new-domexception-named"></a> <a def-id="InvalidAccessError"></a>.</p></li>
<li><p>If the <a def-id="keysystem"></a> implementation represented by this object's <var>cdm implementation</var> value does not support <var>initDataType</var> as an <a def-id="initialization-data-type"></a>, return a promise rejected with <a def-id="new-domexception-named"></a> <a def-id="NotSupportedError"></a>. String comparison is case-sensitive.</p></li>
<li><p>Let <var>init data</var> be a copy of the contents of the <var>initData</var> parameter.</p></li>
<li><p>Let <var>session type</var> be this object's <var>session type</var>.</p></li>
<li><p>Let <var>promise</var> be a new promise.</p></li>
<li><p>Run the following steps asynchronously:</p>
<ol>
<li><p>If the <var>init data</var> is not valid for <var>initDataType</var>, reject <var>promise</var> with <a def-id="new-domexception-named"></a> <a def-id="InvalidAccessError"></a>.</p></li>
<li><p>Let <var>sanitized init data</var> be a validated and sanitized version of <var>init data</var>.</p>
<p>The user agent MUST thoroughly validate the <a def-id="initialization-data"></a> before passing it to the CDM.
This includes verifying that the length and values of fields are reasonable, verifying that values are within reasonable limits, and stripping irrelevant, unsupported, or unknown data or fields.
It is RECOMMENDED that user agents pre-parse, sanitize, and/or generate a fully sanitized version of the <a def-id="initialization-data"></a>.
If the <a def-id="initialization-data"></a> format specified by <var>initDataType</var> support multiple entries, the user agent SHOULD remove entries that are not needed by the CDM.
</p>
</li>
<li><p>If the previous step failed, reject <var>promise</var> with <a def-id="new-domexception-named"></a> <a def-id="InvalidAccessError"></a>.</p></li>
<li><p>Let <var>session id</var> be the empty string.</p></li>
<li><p>Let <var>message</var> be null.</p></li>
<li><p>Let <var>cdm</var> be the CDM instance represented by this object's <var>cdm instance</var> value.</p></li>
<li><p>Use the <var>cdm</var> to execute the following steps:</p>
<ol>
<li><p>If the <var>init data</var> is not supported by the <var>cdm</var>, reject <var>promise</var> with <a def-id="new-domexception-named"></a> <a def-id="NotSupportedError"></a>.</p></li>
<li><p>Follow the steps for the first matching condition from the following list:</p>
<dl class="switch">
<dt>If <var>session type</var> is <a def-id="temporary-session"></a></dt>
<dd>
<p>Let <var>requested license type</var> be a temporary non-persistable license.</p>
<p class="note">The returned license must not be persistable or require persisting proof of license release.</p>
</dd>
<dt>If <var>session type</var> is <a def-id="persistent-license-session"></a></dt>
<dd>
<p>Let <var>requested license type</var> be a persistable license.<p>