[whatwg] HTML 5 : The Youtube response

On Jun 30, 2010, at 8:30 AM, Tab Atkins Jr. wrote:

> On Wed, Jun 30, 2010 at 8:14 AM, Philip J?genstedt <philipj at opera.com> wrote:
>> On Wed, 30 Jun 2010 16:31:20 +0200, Tab Atkins Jr. <jackalmage at gmail.com>
>> wrote:
>>> In any case, embedding
>>> videos via <iframe sandbox=allow-scripts> should work fine, once more
>>> browsers support it.
>>> 
>>> ~TJ
>>> 
>> 
>> What issues would there be with simply using <iframe> without sandboxing?
>> What doesn't the cross-origin policy stop?
> 
> Oh, duh.  Sorry, yeah, just pointing the iframe to a different-origin
> resource on youtube.com would work fine.

Embedding an off-site <iframe> without sandboxing would in fact be more secure than embedding an off-site SWF. This is really an ecosystem issue, not a technology issue, as I understand it. Many of the significant video providers have gotten most of the popular blogging sites and sites that accept user-generated content to whitelist their SWFs. They are probably not motivated to do <iframe> embedding until the sites where content would be posted allow it, and the sites that allow posting content have little incentive to allow <iframe> embedding until video providers are offering it.

I think it would help to have a shared recommended approach to this, to break the logjam. Some of us at Apple are planning to talk to various media providers about it.

Regards,
Maciej

Received on Wednesday, 30 June 2010 15:04:17 UTC