W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] Same-origin checking for media elements

From: Ralph Giles <giles@xiph.org>
Date: Mon, 10 Nov 2008 23:43:18 -0800
Message-ID: <0779B6D2-8253-4E72-8882-3338BCCC2A3A@xiph.org>
On 10-Nov-08, at 7:49 PM, Maciej Stachowiak wrote:

>> 1) Allow unrestricted cross-origin <video>/<audio>
>> 2) Allow cross-origin <video>/<audio> but carefully restrict the  
>> API to limit the information a page can get about media loaded  
>> from a different origin
>> 3) Disallow cross-origin <video>/<audio> unless the media server  
>> explicitly allows it via the Access Control spec (e.g. by sending  
>> the "Access-Control-Allow-Origin: *" header).
>
> I'd prefer 1 or 2 (assuming the restrictions assumed by 2 are  
> reasonable).

One point that came out of the theora-level thread is that (2) would  
be less surprising if there's some kind of error mechanism flagging  
the restriction. For example, taint-tracking infrastructure could  
throw an exception when the javascript vm attempts to move cross-site  
data outside the layout and render engines.

This would offer some help to authors when a locally tested design  
mysteriously stops working when deployed.

FWIW,
  -r
Received on Monday, 10 November 2008 23:43:18 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC