[whatwg] Redirect handling for <audio> & <video>

On Thu, 03 Mar 2011 22:15:58 +0100, Aaron Colwell <acolwell at google.com>  
wrote:

> Hi,
>
> I was looking at the resource fetch
> algorithm<http://www.whatwg.org/specs/web-apps/current-work/multipage/video.html#concept-media-load-resource>section
> and fetching
> resources  
> <http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#fetch>
> sections of the HTML5 spec to determine what the proper behavior is for
> handling
> redirects. Both YouTube and Vimeo do 302 redirects to different hostnames
> from
> the URLs specified in the src attribute. It looks like the spec says that
> playback should fail in these cases because they are from different
> origins (Section 2.7 Fetching resources bullet 7). This leads me to a few
> questions.
>
> 1. Is my interpretation of the spec correct? Sample YouTube & Vimeo URLs  
> are
>    shown below.
>    YouTube : src      : http://v22.lscache6.c.youtube.com/videoplayback?  
> ...
>              redirect : http://tc.v22.cache6.c.youtube.com/videoplayback?
> ...
>
>    Vimeo   : src      : http://player.vimeo.com/play_redirect? ...
>              redirect : http://av.vimeo.com/05 ...

Yes, from what I can tell you're correct, but I think it's not  
intentional. The behavior was changed by <http://html5.org/r/5111> in  
2010-06-25, and this is the first time I've noticed it. Opera (and I  
assume most if not all other browsers) already supports HTTP redirects for  
<video> and I don't think it makes much sense to disallow it. For security  
purposes, the origin of the resource is considered to be the final  
destination, not any of the origins in the redirect chain.

> 2. What about http: -> https: redirects? Some content is required to be
> delivered
>    only via https and this sort of redirect enforces that but isn't  
> really a
> different origin.

Quoting  
<http://tools.ietf.org/html/draft-abarth-principles-of-origin-00#section-3>:

"two URLs are part of the same origin (i.e., represent the same principal)  
if they have the same scheme, host, and port"

Since both the scheme (http vs https) and port (80 vs 443) would be  
different, it's considered a different origin.

> 3. If my interpretation of the spec is correct, are there proposals to
> change this
>    or other specs that allow content providers to signal that these
> different hostnames
>    actually represent the same "origin".

I think the force same-origin flag introduced by <http://html5.org/r/5111>  
should be removed from the resource fetch algorithm, but the http vs https  
origin issue is not something that can really be changed.

-- 
Philip J?genstedt
Core Developer
Opera Software

Received on Friday, 4 March 2011 01:30:58 UTC