Tim Starling wrote:
Robert O'Callahan wrote:
Should <video> and <audio> elements be able to load and play resources
from other origins?
Perhaps Ian thinks not:
http://www.w3.org/Bugs/Public/show_bug.cgi?id=6104
There's a to-and-fro discussion here:
http://lists.xiph.org/pipermail/theora/2008-November/001931.html
Jonas got involved here:
http://lists.xiph.org/pipermail/theora/2008-November/001958.html
There are three obvious options:
1) Allow unrestricted cross-origin <video>/<audio>
2) Allow cross-origin <video>/<audio> but carefully restrict the API
to limit the information a page can get about media loaded from a
different origin
3) Disallow cross-origin <video>/<audio> unless the media server
explicitly allows it via the Access Control spec (e.g. by sending the
"Access-Control-Allow-Origin: *" header).
(3) is particularly nasty due to the incentive it creates for insecure
configuration. We've seen this already with Flash policy files. Many
administrators uploaded a crossdomain.xml with <allow-access-from
domain="*"/>, not realising what sort of vulnerability they were opening
up. It would be a shame to borrow security ideas from possibly the least
secure client on the web, and to mandate those insecure ideas in browser
standards.
Please read my posting to the xiph list linked above (specifically
towards the end when talking about access-control). Access-Control is
very different from flashs crossdomain.xml in that you can opt in to
sharing just public data. This means that for every server on the
internet, it is completely safe to add the header
"Access-Control-Allow-Origin: *" without risking leaking private data
that couldn't be fetched using wget already.
/ Jonas
