[theora] <video/> and cross site scripting policy.
giles at xiph.org
Sun Nov 9 22:56:21 PST 2008
On 9-Nov-08, at 9:31 PM, Conrad Parker wrote:
> One issue that I'm not clear on is: at what point does served content
> contain such information that it introduces vulnerabilities? Is it
> static video file somehow susceptible to attack?
I can't speak for Robert, but I believe the concern with static video
is with leaking the video itself, which has privacy and, in a
firewalled environment, information security implications.
For example, many webcams have a standard access url. So a malicious
lan, downloads and samples the video in the background and uploads it
back to the origin. Since those cams might be behind a nat/firewall
and aren't publicly addressable, this is a breach of organization-
level security through what is effectively a subverted machine.
More information about the theora