[whatwg] Same-origin checking for media elements

Ralph Giles giles at xiph.org
Mon Nov 10 23:43:18 PST 2008


On 10-Nov-08, at 7:49 PM, Maciej Stachowiak wrote:

>> 1) Allow unrestricted cross-origin <video>/<audio>
>> 2) Allow cross-origin <video>/<audio> but carefully restrict the  
>> API to limit the information a page can get about media loaded  
>> from a different origin
>> 3) Disallow cross-origin <video>/<audio> unless the media server  
>> explicitly allows it via the Access Control spec (e.g. by sending  
>> the "Access-Control-Allow-Origin: *" header).
>
> I'd prefer 1 or 2 (assuming the restrictions assumed by 2 are  
> reasonable).

One point that came out of the theora-level thread is that (2) would  
be less surprising if there's some kind of error mechanism flagging  
the restriction. For example, taint-tracking infrastructure could  
throw an exception when the javascript vm attempts to move cross-site  
data outside the layout and render engines.

This would offer some help to authors when a locally tested design  
mysteriously stops working when deployed.

FWIW,
  -r




More information about the whatwg mailing list