[theora] <video/> and cross site scripting policy.

Gregory Maxwell gmaxwell at gmail.com
Wed Nov 5 17:03:41 PST 2008

It's been brought to my attention that Mozilla will be changing their
implementation of <video/> to default deny cross-site requests.

In other words:  <video src="http://someothersite/videos.ogg"/> Will
not work by default.  It will not work like the <img/> tag does, or
like the embed/object tags do which are used to embed Flash
applications, or things like QT video work today.

There is a new HTTP access control mechanism
http://www.w3.org/TR/access-control/  which can be used by the target
server to instruct the client to allow the access.

Because it took me a while to understand the implications for these
GET requests, I'll explain how the authentication sequence would work:
 (check my work, if I get this wrong, please correct me).

My site, somesite.com has a document which contains <video
src="http://yoursite.com/video.ogg"/>.  A client visits the document.
The client attempts to play the video. It connects to yoursite.com and
includes a http request header "Origin: somesite.com".  Yoursite.com
consults its configuration and responds with
"Access-Control-Allow-Origin: somesite.com".  The video plays.
Alternatively, it could reply with "Access-Control-Allow-Origin: *"
and the video would play.   If the server us unaware of this little
dance and does not include the header, or replies with some other
"Access-Control-Allow-Origin:" (perhaps due to an unaware cache) the
video will not load and play.

I believe this will have some fairly significant impacts on the
usability of the <video/> tag, but I'm not completely sure that I
understand the authentication mechanism or the implications.    I
think this issue needs more eyes on it,  but I'll ask that you not
pick up your pitchforks until we really know that we understand the


More information about the theora mailing list