In the assumption I'm describing, it's irrelevant which CDM a publisher chooses. The reason being that the CDM must operate via EME, an open standard that can be implemented by any browser. Therefore, CDMs are inherently browser agnostic just like NPAPI plugins.

Is it really true that CDMs are actually browser-specific or are able to enforce a browser whitelist? If so, that is horrific.

> Is it really true that CDMs are actually browser-specific or are able to enforce a browser whitelist?

The EME standard only covers the DOM APIs and the interactions between the video player JavaScript and the CDM. There is no standard browser API or ABI for CDMs like there is for NPAPI.

Does that matter if the CDM is only exposed to sites via a standardized API?

For the site, it doesn't matter. For someone who wants to build a new browser that supports EME, it does matter. There is no standard CDM API, so they must get copy open-source code (from Firefox or Chrome) or rely on documentation from a closed-sourced CDM.

For Firefox, Mozilla has a plugin ABI called GMP (Gecko Media Plugin) similar to NPAPI. Unlike NPAPI, GMPs are not directly instantiated by web content and, AFAIK, the list of supported GMPs is hardcoded in Firefox. Cisco's OpenH264 codec and Adobe's Primetime CDM are GMPs. Google's Widevine CDM has its own API, so Firefox uses a Mozilla-written GMP that wraps Google's Widevine DLL or .so binary.

https://wiki.mozilla.org/GeckoMediaPlugins

I'm afraid I don't know the history of it well enough to give a good answer, but IIUC what the EFF is claiming here is that CDMs are (potentially proprietary) blackboxes and that EME treats them as such. Therefore, publishers are able to decide which browsers are even allowed to use the CDM which they designate.

As far as CDMs being blackboxes in the standard - you can verify that yourself: https://w3c.github.io/encrypted-media/

It would be good to have an EFF expert explain some of the nuance here though.

Exactly. As far as I knew, EME was the solution to the problem they were talking about.

A standard way to allow anyone to run one of those CDMs and removing the publishers as the gatekeepers.

its a standard for the sites themselves to run a certain CDM, its totally unspecified on the browser side

IE, firefox cannot use google sandvine, even if you have chrome installed, because it is not a standard interface from the browser's perspective.

CDMs are absolutely not browser agnostic like NPAPI.

The specification is called EME.

> Beginning in version 47, Firefox desktop also supports the Google Widevine CDM.

https://support.mozilla.org/en-US/kb/enable-drm

EME is the standardized specification on the browser side... That's all it is.

CDMs could technically only work for one browser via fingerprinting, but that could already happen without EME (or DRM entorely) using browser fingerprinting to only serve content to UAs the publishers "trust".