[theora] <video/> and cross site scripting policy.

[Chris Double]

Robert O'Callahan sent this, in reply to Gregory Maxwell's post, but
is not a member of the list and it seem to have got lost.

---------- Forwarded message ----------
From: Robert O'Callahan <robert at ocallahan.org>
Date: Thu, Nov 6, 2008 at 3:34 PM
Subject: [theora] <video/> and cross site scripting policy.
To: theora at xiph.org


BTW, a couple of reasons why a default same-origin policy (with opt-in
relaxation via Access Controls) is a good idea:

The main reason is that it gives servers control over who uses their
resources. Checking 'Referrer' headers doesn't work well since it
denies access to anyone behind a firewall that strips Referrer for
good privacy reasons (or similarly, disables Referrer in the browser
for the same reasons).

Another reason is that cross-origin loads have been a huge source of
security problems on the Web. For example, if a user at example.org
visits evil.com, we don't want evil.com to be able to guess the names
of videos on intranet.example.com, test if they exist, load them and
determine their length and size, get closed-caption data, etc. Yes,
similar attacks are already possible on images, scripts and CSS ---
and that's been a gigantic source of security troubles. We'd block
cross-site loads of those resources if we could without breaking the
Web. For new kinds of loads, such as XHR, downloadable fonts, and
<video> streams, we would like to get it right this time.

The burden of configuring the "Access-Control-Allow-Origin: *" header
on the servers that are willing to serve video (or fonts etc) to the
world seems like a reasonable tradeoff.

Rob
--
"He was pierced for our transgressions, he was crushed for our
iniquities; the punishment that brought us peace was upon him, and by
his wounds we are healed. We all, like sheep, have gone astray, each
of us has turned to his own way; and the LORD has laid on him the
iniquity of us all." [Isaiah 53:5-6]