https://bugzilla.wikimedia.org/show_bug.cgi?id=58478

--- Comment #4 from Michael Dale <md...@wikimedia.org> ---
Within kaltura proper we do sandbox the player in an iframe, but we still make
use of parent javascript access for synchronous api ( postMessage is
asynchronous ) Also HTML fullscreen on iPads and IE's we need parent page
access to adjust the iframe layout to take up full browser page space.

The kaltura player uses a friendly ( same domain ) iframe, but this does not
reduce attack surface, since you can just jump up to the parent frame and run
any JS you want, furthermore you would have to structure things to server the
player iframe from another domain, to have any effect on 'attack surface'. 

Also, you need to do tricky iframe injection strategies [1] to support one
click play on mobile chrome and iOS ( assuming we ever care about single click
to play user experience )
[1] https://github.com/kaltura/mwEmbed/blob/master/kWidget/kWidget.js#L935
Thouse injection strategies only work for same domain iframes. 

And finally safari blocks cross domain iframe cookies, so any personalization /
customization / private media playback has to be structured post "click" in
iframe, or via url parameterization.

Having a separate rendering / entry point, has its own sets of risks, that
probably outweigh advantages of cross domain iframing the player. 


I recommend we use normal precautions of localization string and api based
playback ( no more video payload injection )

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to