- From: Tim Starling <tstarling@wikimedia.org>
- Date: Wed, 12 Nov 2008 14:22:03 +1100
Robert O'Callahan wrote: > Should <video> and <audio> elements be able to load and play resources > from other origins? > > Perhaps Ian thinks not: > http://www.w3.org/Bugs/Public/show_bug.cgi?id=6104 > There's a to-and-fro discussion here: > http://lists.xiph.org/pipermail/theora/2008-November/001931.html > Jonas got involved here: > http://lists.xiph.org/pipermail/theora/2008-November/001958.html > > There are three obvious options: > 1) Allow unrestricted cross-origin <video>/<audio> > 2) Allow cross-origin <video>/<audio> but carefully restrict the API > to limit the information a page can get about media loaded from a > different origin > 3) Disallow cross-origin <video>/<audio> unless the media server > explicitly allows it via the Access Control spec (e.g. by sending the > "Access-Control-Allow-Origin: *" header). > (3) is particularly nasty due to the incentive it creates for insecure configuration. We've seen this already with Flash policy files. Many administrators uploaded a crossdomain.xml with <allow-access-from domain="*"/>, not realising what sort of vulnerability they were opening up. It would be a shame to borrow security ideas from possibly the least secure client on the web, and to mandate those insecure ideas in browser standards. JavaScript already has measures along the lines of (2), in the context of frames. The information a script can obtain about a frame from a different origin is carefully restricted. I think that a similar solution would be best. It has the advantage of consistency and proven security. -- Tim Starling Wikimedia Foundation
Received on Tuesday, 11 November 2008 19:22:03 UTC