[tptacek]

I don't know a lot of software security people who work on browser security that agree with this. The prevailing sentiment is the opposite: that standardize DRM reduces the attack surface of proprietary DRM down to that of a CDM, rather than full-featured browser plugins. By doing so, EME is improving security, not damaging it.

[icebraining]

We could have neither, though.

[tptacek]

By what, banning plugins? Now you're asking the anti-DRM people to do exactly what they're angry at the pro-DRM people for doing: preventing people from running a particular kind of program on their computer. It's an incoherent position.

[Furmark]

Not banning, simply not providing api for them.

[tptacek]

That doesn't work. Look what happens with AV providers: they hack their own plugin interface into the browser, and everybody loses more security.

[madez]

You can have arbitrary exceptions to ensure coherency. There is no reasonable need to have a position without exceptions. Reality isn't that simple.