[theora] <video/> and cross site scripting policy.

Ralph Giles giles at xiph.org
Sun Nov 9 22:56:21 PST 2008

On 9-Nov-08, at 9:31 PM, Conrad Parker wrote:

> One issue that I'm not clear on is: at what point does served content
> contain such information that it introduces vulnerabilities? Is it
> when it contains personalized content/markup, or javascript? Or is a
> static video file somehow susceptible to attack?

I can't speak for Robert, but I believe the concern with static video  
is with leaking the video itself, which has privacy and, in a  
firewalled environment, information security implications.

For example, many webcams have a standard access url. So a malicious  
page could include javascript which probes ip addresses on the user's  
lan, downloads and samples the video in the background and uploads it  
back to the origin. Since those cams might be behind a nat/firewall  
and aren't publicly addressable, this is a breach of organization- 
level security through what is effectively a subverted machine.


More information about the theora mailing list