[whatwg] Same-origin checking for media elements

Robert O'Callahan wrote:
> Should <video> and <audio> elements be able to load and play resources
> from other origins?
>
> Perhaps Ian thinks not:
> http://www.w3.org/Bugs/Public/show_bug.cgi?id=6104
> There's a to-and-fro discussion here:
> http://lists.xiph.org/pipermail/theora/2008-November/001931.html
> Jonas got involved here:
> http://lists.xiph.org/pipermail/theora/2008-November/001958.html
>
> There are three obvious options:
> 1) Allow unrestricted cross-origin <video>/<audio>
> 2) Allow cross-origin <video>/<audio> but carefully restrict the API
> to limit the information a page can get about media loaded from a
> different origin
> 3) Disallow cross-origin <video>/<audio> unless the media server
> explicitly allows it via the Access Control spec (e.g. by sending the
> "Access-Control-Allow-Origin: *" header).
>

(3) is particularly nasty due to the incentive it creates for insecure
configuration. We've seen this already with Flash policy files. Many
administrators uploaded a crossdomain.xml with <allow-access-from
domain="*"/>, not realising what sort of vulnerability they were opening
up. It would be a shame to borrow security ideas from possibly the least
secure client on the web, and to mandate those insecure ideas in browser
standards.

JavaScript already has measures along the lines of (2), in the context
of frames. The information a script can obtain about a frame from a
different origin is carefully restricted. I think that a similar
solution would be best. It has the advantage of consistency and proven
security.

--
Tim Starling
Wikimedia Foundation

Received on Tuesday, 11 November 2008 19:22:03 UTC