[stinkytaco]

>If Adobe's CDM can run while completely sandboxed from network and file access

I'll admit this isn't my area of expertise, but how would this be possible?

[chx]

The CDM and the server runs some sort of secure key exchange with the browser doing the actual network traffic. The browser is eavesdropping on the communication but that's what Diffie-Hellman, STS etc are solving. Then the browser gets the encrypted stream, hands it to the CDM which has some ties to the OS to be able to draw on the screen. Only tie to the OS is required, no files, no network. The browser can handle those.

[bzbarsky]

The EME spec is designed to make this feasible at least in principle: the browser hands the encrypted video bits to the CDM.

In the case of Adobe's CDM and Mozilla, this is one of the points that was explicitly negotiated: the CDM will be running in a sandbox.