[theora] <video/> and cross site scripting policy.

Gregory Maxwell gmaxwell at gmail.com
Thu Nov 6 19:56:34 PST 2008

On Thu, Nov 6, 2008 at 9:52 PM, Jason Self <jason.self at gmail.com> wrote:
>> 2) the server can leave the access check to the browser
> Even if browsers are updated to include support for this, leaving
> access control to the very software accessing the material means that
> the user can disable the check and make this whole thing completely
> ineffective.
> If anyone is concerned about stolen/wasted bandwidth/resources/
> whatever, I think that the correct solution is to place it behind some
> kind of secure authentication. As long as the content is accessible to
> the general population someone WILL find a way to get to it whether
> you approve or not.

Not that I am in favor of the same-origin restriction, but I do not
agree with your argument.

Consider:   Evilsite.com shows people free nuddies.   It also runs
invisible javascript that silently makes ever client load a jillion
videos from poorvictim.com.

Same origin policy would provide a degree of protection here (they'd
still get connection requests, but not the whole transfer).  The fact
that the user could hack their browser (or use wget) is not especially

Consider another site,  myselfishspace.com (any resemblance to
existing sites is purely coincidental). Myselfishspace gives people
advertising laden free hosting but doesn't care to deal with the
bandwidth costs of music and video, so they let people hotlink
music/video, frequently shifting that cost onto unsuspecting victims.
 Same-origin would make these videos/audio not work for users not
using hacked browsers (99.9999…% of all users).  The problem is
effectively stopped.   (it could also be mostly stopped in other ways,
like an opt-in failure rather than opt-out).

In all these cases and others the fact that a client could be
reprogrammed is not relevant. Same-origin provides protection.

Fail by default also will make life hard for proxy operators who would
blindly strip the origin tags. Bad for <video/> support, good for
people trying to make the web a more secure place.

I am opposed to the same origin policy for <video/> because I believe
the harm will significantly outweigh the reduction in the total attack
surface so long as things like <img/> remain unchanged,  and it misses
an opportunity to produce a solution which could be consistently
applied to both <video/> and <img/>. ... But I do not deny that the
restrictions do have non-trivial advantages.

The omission of a baseline set of reasonable non-proprietary codecs in
the HTML5 <video/> specification is evidence enough that the usability
of this tag is less important than other factors for some participants
in the standard process.  This isn't the case for me or most other
people on this list, so it's no surprise that we have objections to
changes which make <video/> harder to use.  But this is what we have
to work with. Lets try to make the best of it.

More information about the theora mailing list