[whatwg] Same-origin checking for media elements
Ralph Giles
giles at xiph.org
Mon Nov 10 23:43:18 PST 2008
On 10-Nov-08, at 7:49 PM, Maciej Stachowiak wrote:
>> 1) Allow unrestricted cross-origin <video>/<audio>
>> 2) Allow cross-origin <video>/<audio> but carefully restrict the
>> API to limit the information a page can get about media loaded
>> from a different origin
>> 3) Disallow cross-origin <video>/<audio> unless the media server
>> explicitly allows it via the Access Control spec (e.g. by sending
>> the "Access-Control-Allow-Origin: *" header).
>
> I'd prefer 1 or 2 (assuming the restrictions assumed by 2 are
> reasonable).
One point that came out of the theora-level thread is that (2) would
be less surprising if there's some kind of error mechanism flagging
the restriction. For example, taint-tracking infrastructure could
throw an exception when the javascript vm attempts to move cross-site
data outside the layout and render engines.
This would offer some help to authors when a locally tested design
mysteriously stops working when deployed.
FWIW,
-r
More information about the whatwg
mailing list