https://bugzilla.wikimedia.org/show_bug.cgi?id=58478
--- Comment #4 from Michael Dale <[email protected]> --- Within kaltura proper we do sandbox the player in an iframe, but we still make use of parent javascript access for synchronous api ( postMessage is asynchronous ) Also HTML fullscreen on iPads and IE's we need parent page access to adjust the iframe layout to take up full browser page space. The kaltura player uses a friendly ( same domain ) iframe, but this does not reduce attack surface, since you can just jump up to the parent frame and run any JS you want, furthermore you would have to structure things to server the player iframe from another domain, to have any effect on 'attack surface'. Also, you need to do tricky iframe injection strategies [1] to support one click play on mobile chrome and iOS ( assuming we ever care about single click to play user experience ) [1] https://github.com/kaltura/mwEmbed/blob/master/kWidget/kWidget.js#L935 Thouse injection strategies only work for same domain iframes. And finally safari blocks cross domain iframe cookies, so any personalization / customization / private media playback has to be structured post "click" in iframe, or via url parameterization. Having a separate rendering / entry point, has its own sets of risks, that probably outweigh advantages of cross domain iframing the player. I recommend we use normal precautions of localization string and api based playback ( no more video payload injection ) -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
