[theora] <video/> and cross site scripting policy.

[Gregory Maxwell]

It's been brought to my attention that Mozilla will be changing their
implementation of <video/> to default deny cross-site requests.
(http://www.w3.org/Bugs/Public/show_bug.cgi?id=6104)

In other words:  <video src="http://someothersite/videos.ogg"/> Will
not work by default.  It will not work like the <img/> tag does, or
like the embed/object tags do which are used to embed Flash
applications, or things like QT video work today.

There is a new HTTP access control mechanism
http://www.w3.org/TR/access-control/  which can be used by the target
server to instruct the client to allow the access.

Because it took me a while to understand the implications for these
GET requests, I'll explain how the authentication sequence would work:
 (check my work, if I get this wrong, please correct me).

My site, somesite.com has a document which contains <video
src="http://yoursite.com/video.ogg"/>.  A client visits the document.
The client attempts to play the video. It connects to yoursite.com and
includes a http request header "Origin: somesite.com".  Yoursite.com
consults its configuration and responds with
"Access-Control-Allow-Origin: somesite.com".  The video plays.
Alternatively, it could reply with "Access-Control-Allow-Origin: *"
and the video would play.   If the server us unaware of this little
dance and does not include the header, or replies with some other
"Access-Control-Allow-Origin:" (perhaps due to an unaware cache) the
video will not load and play.

I believe this will have some fairly significant impacts on the
usability of the <video/> tag, but I'm not completely sure that I
understand the authentication mechanism or the implications.    I
think this issue needs more eyes on it,  but I'll ask that you not
pick up your pitchforks until we really know that we understand the
implications.

Thanks.