MySpace is my canonical example - they allow arbitrary SWFs to be embedded in profiles, but not <iframe>s. Flash added support a while back that allows containing pages to block SWFs from executing script or accessing the contents of the page, which MySpace enforces by rewriting the <embed> tag that users post. Before that, yes, allowing arbitrary SWFs to be posted by users was a huge security hole. <div>
<br></div><div>Regardless, I think we're all agreed on the path forward (Use <iframe>s to embed content instead of naked <embed> tags) and just need to start moving on it, and the ball is largely in YouTube's court on this point.</div>
<div><br></div><div>-John<br><br><div class="gmail_quote">On Fri, Jul 2, 2010 at 6:20 PM, Maciej Stachowiak <span dir="ltr"><<a href="mailto:mjs@apple.com">mjs@apple.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
On Jul 2, 2010, at 6:04 PM, Maciej Stachowiak wrote:<br>
<br>
><br>
> Any site which does that has a giant security hole, since Flash can be used to arbitrarily script the embedding page. It's about as safe as allowing embedding of arbitrary off-site <script>. If you are aware of sites that allow embedding of arbitrary off-site Flash, you should alert them to the potential security risks. For example a social network site that allowed this would be vulnerable to a self-propagating worm.<br>
><br>
> What I have heard before is that sites whitelist specific SWFs or Flash from specific domains. I'm don't have any first-hand knowledge of how sites actually do it.<br>
<br>
</div>With testing I found at least one site where I can apparently embed arbitrary SWFs. However, this site has per-user domains, so it might be relatively safe. This site also allows me to embed arbitrary content in an <iframe>.<br>
<br>
Regards,<br>
<font color="#888888">Maciej<br>
<br>
<br>
</font></blockquote></div><br></div>