W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] Same-origin checking for media elements

From: Tim Starling <tstarling@wikimedia.org>
Date: Wed, 12 Nov 2008 14:22:03 +1100
Message-ID: <491A4BDB.1070903@wikimedia.org>
Robert O'Callahan wrote:
> Should <video> and <audio> elements be able to load and play resources
> from other origins?
>
> Perhaps Ian thinks not:
> http://www.w3.org/Bugs/Public/show_bug.cgi?id=6104
> There's a to-and-fro discussion here:
> http://lists.xiph.org/pipermail/theora/2008-November/001931.html
> Jonas got involved here:
> http://lists.xiph.org/pipermail/theora/2008-November/001958.html
>
> There are three obvious options:
> 1) Allow unrestricted cross-origin <video>/<audio>
> 2) Allow cross-origin <video>/<audio> but carefully restrict the API
> to limit the information a page can get about media loaded from a
> different origin
> 3) Disallow cross-origin <video>/<audio> unless the media server
> explicitly allows it via the Access Control spec (e.g. by sending the
> "Access-Control-Allow-Origin: *" header).
>

(3) is particularly nasty due to the incentive it creates for insecure
configuration. We've seen this already with Flash policy files. Many
administrators uploaded a crossdomain.xml with <allow-access-from
domain="*"/>, not realising what sort of vulnerability they were opening
up. It would be a shame to borrow security ideas from possibly the least
secure client on the web, and to mandate those insecure ideas in browser
standards.

JavaScript already has measures along the lines of (2), in the context
of frames. The information a script can obtain about a frame from a
different origin is carefully restricted. I think that a similar
solution would be best. It has the advantage of consistency and proven
security.

--
Tim Starling
Wikimedia Foundation
Received on Tuesday, 11 November 2008 19:22:03 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC