[theora] <video/> and cross site scripting policy.

Jonas Sicking jonas at sicking.cc
Fri Nov 7 18:45:58 PST 2008

Silvia Pfeiffer wrote:
> On Fri, Nov 7, 2008 at 3:23 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
>> On Thu, Nov 6, 2008 at 11:07 PM, Robert O'Callahan <robert at ocallahan.org> wrote:
>>> One thing to keep in mind is that if we ship with a same-origin restriction
>>> now, and then discover later that was a really dumb mistake, we can then
>>> relax it and little has been lost. But if we ship with no restrictions and
>>> then find out *that* was a dumb mistake, there's nothing we can do without
>>> massively breaking things; we'll have to live with that mistake forever
>>> (like <img>).
>> This is a very good point which I had not fully considered.
>> I'd like to point out that <img> can be significantly improved:
>> Specify a header Access-Control-Deny-Origin: with the following rules:
>>  If there is an allow header mentioning your origin, allow. If there
>> is a deny mentioning your origin deny.  If there is a wildcard allow,
>> allow, wildcard deny deny.  No header?  Allow for legacy things, deny
>> for new things/unsafe things.
>> Under that scenario images would eventually gain the protection as
>> servers are updated to emit a deny.   But in that situation I'd
>> suggest that video should work like img in accordance with the
>> principle of least surprise.
> I like this suggestion. It's one that is built to enable access
> control where necessary without restricting the general case where
> people just want to make their content available.
> Can this be an alternative for <video/> too?

This would address the leaching bandwidth problem by giving sites a way 
to disable hotlinking, but it wouldn't address any of the problems that 
I brought up in my previous mail.

We can't ask people to opt in to security, too many will forget and we'd 
have to assume that they will.

/ Jonas

More information about the theora mailing list