[theora] <video/> and cross site scripting policy.

Ivo Emanuel Gonçalves justivo at gmail.com
Fri Nov 7 10:43:02 PST 2008


Yes, both Gregory and Michael make good points.

I'm afraid the Mozilla people sometimes are a bit too much optimistic
about how the web works.  It's the unity of human creation: it's
messy, horrible and most of the time nobody knows what they're doing.

Login into any tech news site and there's at least a weekly article
about how much "Firefox 3 SSL policy is hurting the web".  And then I
get complains over email how the Xiph Trac has an "invalid"
certificate and we're supposedly doing something wrong for not paying
a large fee for someone "trusted" to sign our certificates.

This issue here strikes me as very similar in most aspects.  In theory
it seems like a good idea to only let those sites who explicity allow
hotlinking video have their videos show up on other sites.  This would
probably work in Youtube.  This would not work on a company's website
that wanted to use their partner's video in a news article; their
outsourced webmaster has no idea how to fix it.

So, I see two possible solutions for this issue:

Have every webserver software by default sending
"Access-Control-Allow-Origin: *", so only those who explicity wish to
disallow hotlinking go ahead and disable it, or have Firefox assume
it's * by default.

This is not the perfect solution but a compromise, as neither
disallowing hotlinking by default nor removing this feature from
Firefox would please both sides.  And we are arguing here to reach a
compromise, right?

Let's not screw up <video>; it's supposed to be the <img> of video.

-Ivo


More information about the theora mailing list