Encrypted Media Extensions


Encrypted Media Extensions is a W3C specification for providing a communication channel between web browsers and digital rights management agent software. This allows the use of HTML5 video to play back DRM-wrapped content such as streaming video services without the use of heavy third-party media plugins like Adobe Flash or Microsoft Silverlight. The use of a third-party key management system may be required, depending on whether the publisher chooses to scramble the keys.
EME is based on the HTML5 Media Source Extensions specification, which enables adaptive bitrate streaming in HTML5 using e.g. MPEG-DASH with MPEG-CENC protected content.
EME has been highly controversial because it places a necessarily proprietary, closed component into what might otherwise be an entirely open and free software ecosystem. On July 6, 2017, W3C publicly announced its intention to publish an EME web standard, and did so on September 18. On the same day, the Electronic Frontier Foundation, who joined in 2014 to participate in the decision making, published an open letter resigning from W3C.

Support

In April 2013, on the Samsung Chromebook, Netflix became the first company to offer HTML5 video using EME.
, the Encrypted Media Extensions interface has been implemented in the Google Chrome, Internet Explorer, Safari, Firefox, and Microsoft Edge browsers.
While backers and the developers of the Firefox web browser were hesitant in implementing the protocol for ethical reasons due to its dependency on proprietary code, Firefox introduced EME support on Windows platforms in May 2015. Firefox's implementation of EME uses an open-source sandbox to load the proprietary DRM modules, which are treated as plug-ins that are loaded when EME-encrypted content is requested. The sandbox was also designed to frustrate the ability for services and the DRM to uniquely track and identify devices. Additionally, it is always possible to disable DRM in Firefox, which then not only disables EME, but also uninstalls the CDM Widevine.
Netflix supports HTML5 video using EME with a supported web browser: Chrome, Firefox, Microsoft Edge, Internet Explorer, or Safari. YouTube supports the HTML5 MSE. Available players supporting MPEG-DASH using the HTML5 MSE and EME are NexPlayer, THEOplayer by OpenTelly, the bitdash MPEG-DASH player, dash.js by DASH-IF or rx-player.
Note that certainly in Firefox and Chrome, EME does not work unless the media is supplied via Media Source Extensions.
Version 4.3 and subsequent versions of Android support EME.

Content Decryption Modules

EME has faced strong criticism from both inside and outside W3C. The major issues for criticism are implementation issues for open-source browsers, entry barriers for new browsers, lack of interoperability, concerns about privacy and accessibility and possibility of legal trouble in the United States due to Chapter 12 of the DMCA.
There are potentially security issues introduced by running any form of DRM software, which would be obscured by the fact that all implementations are proprietary.
Exposing DRM modules that cannot be properly audited to web content, which is untrustworthy, may result in such software being abused and/or attacked by any website the user visits with the DRM software enabled. While Firefox does attempt to prevent malicious code from escaping its sandbox, there is no guarantee that the sandbox will work.
In July of 2020, Reddit started running a javascript program that launches a fingerprinting attack against the user's web browser. Part of the script attempts to load every possible DRM module that browsers can support, and logs what ends up loading as part of the data collected. Users noticed this when Firefox began alerting them that Reddit "required" them to load DRM software to play media, although none of the media on the page actually needed it.