[theora] <video/> and cross site scripting policy.
jonas at sicking.cc
Fri Nov 7 18:45:58 PST 2008
Silvia Pfeiffer wrote:
> On Fri, Nov 7, 2008 at 3:23 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
>> On Thu, Nov 6, 2008 at 11:07 PM, Robert O'Callahan <robert at ocallahan.org> wrote:
>>> One thing to keep in mind is that if we ship with a same-origin restriction
>>> now, and then discover later that was a really dumb mistake, we can then
>>> relax it and little has been lost. But if we ship with no restrictions and
>>> then find out *that* was a dumb mistake, there's nothing we can do without
>>> massively breaking things; we'll have to live with that mistake forever
>>> (like <img>).
>> This is a very good point which I had not fully considered.
>> I'd like to point out that <img> can be significantly improved:
>> Specify a header Access-Control-Deny-Origin: with the following rules:
>> If there is an allow header mentioning your origin, allow. If there
>> is a deny mentioning your origin deny. If there is a wildcard allow,
>> allow, wildcard deny deny. No header? Allow for legacy things, deny
>> for new things/unsafe things.
>> Under that scenario images would eventually gain the protection as
>> servers are updated to emit a deny. But in that situation I'd
>> suggest that video should work like img in accordance with the
>> principle of least surprise.
> I like this suggestion. It's one that is built to enable access
> control where necessary without restricting the general case where
> people just want to make their content available.
> Can this be an alternative for <video/> too?
This would address the leaching bandwidth problem by giving sites a way
to disable hotlinking, but it wouldn't address any of the problems that
I brought up in my previous mail.
We can't ask people to opt in to security, too many will forget and we'd
have to assume that they will.
More information about the theora