- From: Ralph Giles <giles@xiph.org>
- Date: Mon, 10 Nov 2008 23:43:18 -0800
On 10-Nov-08, at 7:49 PM, Maciej Stachowiak wrote: >> 1) Allow unrestricted cross-origin <video>/<audio> >> 2) Allow cross-origin <video>/<audio> but carefully restrict the >> API to limit the information a page can get about media loaded >> from a different origin >> 3) Disallow cross-origin <video>/<audio> unless the media server >> explicitly allows it via the Access Control spec (e.g. by sending >> the "Access-Control-Allow-Origin: *" header). > > I'd prefer 1 or 2 (assuming the restrictions assumed by 2 are > reasonable). One point that came out of the theora-level thread is that (2) would be less surprising if there's some kind of error mechanism flagging the restriction. For example, taint-tracking infrastructure could throw an exception when the javascript vm attempts to move cross-site data outside the layout and render engines. This would offer some help to authors when a locally tested design mysteriously stops working when deployed. FWIW, -r
Received on Monday, 10 November 2008 23:43:18 UTC