[theora] <video/> and cross site scripting policy.
Conrad Parker
conrad at metadecks.org
Mon Nov 10 00:27:07 PST 2008
2008/11/10 Ralph Giles <giles at xiph.org>:
> On 9-Nov-08, at 9:31 PM, Conrad Parker wrote:
>
>> One issue that I'm not clear on is: at what point does served content
>> contain such information that it introduces vulnerabilities? Is it
>> when it contains personalized content/markup, or javascript? Or is a
>> static video file somehow susceptible to attack?
>
> I can't speak for Robert, but I believe the concern with static video is
> with leaking the video itself, which has privacy and, in a firewalled
> environment, information security implications.
>
> For example, many webcams have a standard access url. So a malicious page
> could include javascript which probes ip addresses on the user's lan,
> downloads and samples the video in the background and uploads it back to the
> origin. Since those cams might be behind a nat/firewall and aren't publicly
> addressable, this is a breach of organization-level security through what is
> effectively a subverted machine.
got it.
So perhaps a good default (unconfigured) server configuration is to
not send out any special Allow header, and then document how to change
that appropriately.
K.
More information about the theora
mailing list