[theora] <video/> and cross site scripting policy.

Conrad Parker conrad at metadecks.org
Mon Nov 10 00:27:07 PST 2008

2008/11/10 Ralph Giles <giles at xiph.org>:
> On 9-Nov-08, at 9:31 PM, Conrad Parker wrote:
>> One issue that I'm not clear on is: at what point does served content
>> contain such information that it introduces vulnerabilities? Is it
>> when it contains personalized content/markup, or javascript? Or is a
>> static video file somehow susceptible to attack?
> I can't speak for Robert, but I believe the concern with static video is
> with leaking the video itself, which has privacy and, in a firewalled
> environment, information security implications.
> For example, many webcams have a standard access url. So a malicious page
> could include javascript which probes ip addresses on the user's lan,
> downloads and samples the video in the background and uploads it back to the
> origin. Since those cams might be behind a nat/firewall and aren't publicly
> addressable, this is a breach of organization-level security through what is
> effectively a subverted machine.

got it.

So perhaps a good default (unconfigured) server configuration is to
not send out any special Allow header, and then document how to change
that appropriately.


More information about the theora mailing list