[theora] <video/> and cross site scripting policy.

Silvia Pfeiffer silviapfeiffer1 at gmail.com
Fri Nov 7 18:07:02 PST 2008


On Fri, Nov 7, 2008 at 3:23 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> On Thu, Nov 6, 2008 at 11:07 PM, Robert O'Callahan <robert at ocallahan.org> wrote:
>> One thing to keep in mind is that if we ship with a same-origin restriction
>> now, and then discover later that was a really dumb mistake, we can then
>> relax it and little has been lost. But if we ship with no restrictions and
>> then find out *that* was a dumb mistake, there's nothing we can do without
>> massively breaking things; we'll have to live with that mistake forever
>> (like <img>).
>
> This is a very good point which I had not fully considered.
>
> I'd like to point out that <img> can be significantly improved:
> Specify a header Access-Control-Deny-Origin: with the following rules:
>  If there is an allow header mentioning your origin, allow. If there
> is a deny mentioning your origin deny.  If there is a wildcard allow,
> allow, wildcard deny deny.  No header?  Allow for legacy things, deny
> for new things/unsafe things.
>
> Under that scenario images would eventually gain the protection as
> servers are updated to emit a deny.   But in that situation I'd
> suggest that video should work like img in accordance with the
> principle of least surprise.

I like this suggestion. It's one that is built to enable access
control where necessary without restricting the general case where
people just want to make their content available.

Can this be an alternative for <video/> too?

Regards,
Silvia.


More information about the theora mailing list