W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2010

[whatwg] More YouTube response

From: Maciej Stachowiak <mjs@apple.com>
Date: Fri, 02 Jul 2010 18:04:54 -0700
Message-ID: <6829CF63-7A27-43AD-A1E6-1D16C42157F1@apple.com>

On Jul 2, 2010, at 12:09 PM, John Harding wrote:

> On Thu, Jul 1, 2010 at 9:16 PM, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote:
> > As several people pointed out (and which I tried to get at in my post), this
> > is really an ecosystem issue rather than a change needed in the spec or in
> > browsers.  I suspect it's going to take some time, but the flexibility of
> > embedding content via <iframe> will be a big step forward.
> Wouldn't it be straightforward for YouTube to offer <iframe> support
> right now, in addition to <object>?  The backend support should be
> simple to do.  If you keep the <object> code as the default embed
> recommendation and hide the <iframe> embed code somewhere so people
> will only use it if they look for it, you won't risk confusing anyone.
>  Sites that currently whitelist <object> from YouTube will eventually
> whitelist <iframe> from YouTube too -- I hope there aren't many sites
> that permit *arbitrary* <object>s to be inserted by untrusted users.
> Allowing <iframe> will have other benefits, like allowing fallback
> "install Flash" content (currently omitted from the <object> code, I
> assume to keep the size down).
> Yes, it's pretty straightforward to offer <iframe>-based embed code, but it needs to be coupled with getting sites to accept them, or we end up with a lot of confused, unhappy users.  Note that sites don't generally whitelist specific SWFs - they generally allow all Flash embeds. 

Any site which does that has a giant security hole, since Flash can be used to arbitrarily script the embedding page. It's about as safe as allowing embedding of arbitrary off-site <script>. If you are aware of sites that allow embedding of arbitrary off-site Flash, you should alert them to the potential security risks. For example a social network site that allowed this would be vulnerable to a self-propagating worm.

What I have heard before is that sites whitelist specific SWFs or Flash from specific domains. I'm don't have any first-hand knowledge of how sites actually do it.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100702/c3be2fc8/attachment.htm>
Received on Friday, 2 July 2010 18:04:54 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:24 UTC