W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] Same-origin checking for media elements

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 12 Nov 2008 02:19:44 -0800
Message-ID: <491AADC0.9060701@sicking.cc>
Maciej Stachowiak wrote:
> 
> On Nov 10, 2008, at 6:50 PM, Robert O'Callahan wrote:
> 
>> Should <video> and <audio> elements be able to load and play resources 
>> from other origins?
>>
>> Perhaps Ian thinks not:
>> http://www.w3.org/Bugs/Public/show_bug.cgi?id=6104
>> There's a to-and-fro discussion here:
>> http://lists.xiph.org/pipermail/theora/2008-November/001931.html
>> Jonas got involved here:
>> http://lists.xiph.org/pipermail/theora/2008-November/001958.html
>>
>> There are three obvious options:
>> 1) Allow unrestricted cross-origin <video>/<audio>
>> 2) Allow cross-origin <video>/<audio> but carefully restrict the API 
>> to limit the information a page can get about media loaded from a 
>> different origin
>> 3) Disallow cross-origin <video>/<audio> unless the media server 
>> explicitly allows it via the Access Control spec (e.g. by sending the 
>> "Access-Control-Allow-Origin: *" header).
> 
> I'd prefer 1 or 2 (assuming the restrictions assumed by 2 are reasonable).

We're already exposing more on <video> than we are for <img>. 
ProgressEvents expose the file size, and there is API to get the 
duration of the playtime.

An additional, though rather minor problem, is that implementations will 
have to delay the loadstart event until it has confirmed that the 
targeted file is in fact a real video file, and has confirmed that with 
relatively high level of confidence. Otherwise the size of random HTML 
files can be measured using the <video> element.

And that's on top of the things that <img> unfortunately already exposes 
such as the image existence and it's on-screen size.

Things are largely mitigated if we don't send cookies (nor other auth 
credentials) when doing cross-site <video> requests. Then the only 
information that can be leaked is information protected by firewalls.

However I am still concerned with putting wording in the HTML spec 
basically saying

# If you are putting a video file, or something that looks a lot like
# it, behind a firewall, the firewall is not going to provide any actual
# security for some of the meta-data about that video. Any website on
# the internet is going to be able to see that videos existance, its
# filesize, its dimensions in pixels and its playtime duration in
# seconds. The only security the firewall is going to provide for
# that data is obscurity, i.e. it is unlikely that any other person
# outside will know the url to that video to fetch that meta data.

Yes, we should say the same thing for images (minus some of the meta 
data), but I can't say that I'm thrilled about that since I suspect few 
people realize that.


/ Jonas
Received on Wednesday, 12 November 2008 02:19:44 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC