- From: John Harding <jharding@google.com>
- Date: Wed, 7 Jul 2010 13:54:26 -0700
MySpace is my canonical example - they allow arbitrary SWFs to be embedded in profiles, but not <iframe>s. Flash added support a while back that allows containing pages to block SWFs from executing script or accessing the contents of the page, which MySpace enforces by rewriting the <embed> tag that users post. Before that, yes, allowing arbitrary SWFs to be posted by users was a huge security hole. Regardless, I think we're all agreed on the path forward (Use <iframe>s to embed content instead of naked <embed> tags) and just need to start moving on it, and the ball is largely in YouTube's court on this point. -John On Fri, Jul 2, 2010 at 6:20 PM, Maciej Stachowiak <mjs at apple.com> wrote: > > On Jul 2, 2010, at 6:04 PM, Maciej Stachowiak wrote: > > > > > Any site which does that has a giant security hole, since Flash can be > used to arbitrarily script the embedding page. It's about as safe as > allowing embedding of arbitrary off-site <script>. If you are aware of sites > that allow embedding of arbitrary off-site Flash, you should alert them to > the potential security risks. For example a social network site that allowed > this would be vulnerable to a self-propagating worm. > > > > What I have heard before is that sites whitelist specific SWFs or Flash > from specific domains. I'm don't have any first-hand knowledge of how sites > actually do it. > > With testing I found at least one site where I can apparently embed > arbitrary SWFs. However, this site has per-user domains, so it might be > relatively safe. This site also allows me to embed arbitrary content in an > <iframe>. > > Regards, > Maciej > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100707/4fc8dfb1/attachment.htm>
Received on Wednesday, 7 July 2010 13:54:26 UTC