- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 12 Nov 2008 01:47:49 -0800
Tim Starling wrote: > Robert O'Callahan wrote: >> Should <video> and <audio> elements be able to load and play resources >> from other origins? >> >> Perhaps Ian thinks not: >> http://www.w3.org/Bugs/Public/show_bug.cgi?id=6104 >> There's a to-and-fro discussion here: >> http://lists.xiph.org/pipermail/theora/2008-November/001931.html >> Jonas got involved here: >> http://lists.xiph.org/pipermail/theora/2008-November/001958.html >> >> There are three obvious options: >> 1) Allow unrestricted cross-origin <video>/<audio> >> 2) Allow cross-origin <video>/<audio> but carefully restrict the API >> to limit the information a page can get about media loaded from a >> different origin >> 3) Disallow cross-origin <video>/<audio> unless the media server >> explicitly allows it via the Access Control spec (e.g. by sending the >> "Access-Control-Allow-Origin: *" header). >> > > (3) is particularly nasty due to the incentive it creates for insecure > configuration. We've seen this already with Flash policy files. Many > administrators uploaded a crossdomain.xml with <allow-access-from > domain="*"/>, not realising what sort of vulnerability they were opening > up. It would be a shame to borrow security ideas from possibly the least > secure client on the web, and to mandate those insecure ideas in browser > standards. Please read my posting to the xiph list linked above (specifically towards the end when talking about access-control). Access-Control is very different from flashs crossdomain.xml in that you can opt in to sharing just public data. This means that for every server on the internet, it is completely safe to add the header "Access-Control-Allow-Origin: *" without risking leaking private data that couldn't be fetched using wget already. / Jonas
Received on Wednesday, 12 November 2008 01:47:49 UTC