https://bugzilla.wikimedia.org/show_bug.cgi?id=58478

--- Comment #5 from Bawolff (Brian Wolff) <bawolff...@gmail.com> ---
(In reply to comment #4)
> Within kaltura proper we do sandbox the player in an iframe, but we still
> make
> use of parent javascript access for synchronous api ( postMessage is
> asynchronous ) Also HTML fullscreen on iPads and IE's we need parent page
> access to adjust the iframe layout to take up full browser page space.
> 
> The kaltura player uses a friendly ( same domain ) iframe, but this does not
> reduce attack surface, since you can just jump up to the parent frame and run
> any JS you want, furthermore you would have to structure things to server the
> player iframe from another domain, to have any effect on 'attack surface'.

The point here is more to centralize js - js gets loaded with the iframe so
that we could avoid including the TMH loader js on all page loads, well at the
same time not have to keep track of which pages have a video on them.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to