On Jun 30, 2010, at 8:30 AM, Tab Atkins Jr. wrote: > On Wed, Jun 30, 2010 at 8:14 AM, Philip Jägenstedt <[email protected]> wrote: >> On Wed, 30 Jun 2010 16:31:20 +0200, Tab Atkins Jr. <[email protected]> >> wrote: >>> In any case, embedding >>> videos via <iframe sandbox=allow-scripts> should work fine, once more >>> browsers support it. >>> >>> ~TJ >>> >> >> What issues would there be with simply using <iframe> without sandboxing? >> What doesn't the cross-origin policy stop? > > Oh, duh. Sorry, yeah, just pointing the iframe to a different-origin > resource on youtube.com would work fine.
Embedding an off-site <iframe> without sandboxing would in fact be more secure than embedding an off-site SWF. This is really an ecosystem issue, not a technology issue, as I understand it. Many of the significant video providers have gotten most of the popular blogging sites and sites that accept user-generated content to whitelist their SWFs. They are probably not motivated to do <iframe> embedding until the sites where content would be posted allow it, and the sites that allow posting content have little incentive to allow <iframe> embedding until video providers are offering it. I think it would help to have a shared recommended approach to this, to break the logjam. Some of us at Apple are planning to talk to various media providers about it. Regards, Maciej
