[whatwg] Same-origin checking for media elements

Jonas Sicking jonas at sicking.cc
Wed Nov 12 01:47:49 PST 2008


Tim Starling wrote:
> Robert O'Callahan wrote:
>> Should <video> and <audio> elements be able to load and play resources
>> from other origins?
>>
>> Perhaps Ian thinks not:
>> http://www.w3.org/Bugs/Public/show_bug.cgi?id=6104
>> There's a to-and-fro discussion here:
>> http://lists.xiph.org/pipermail/theora/2008-November/001931.html
>> Jonas got involved here:
>> http://lists.xiph.org/pipermail/theora/2008-November/001958.html
>>
>> There are three obvious options:
>> 1) Allow unrestricted cross-origin <video>/<audio>
>> 2) Allow cross-origin <video>/<audio> but carefully restrict the API
>> to limit the information a page can get about media loaded from a
>> different origin
>> 3) Disallow cross-origin <video>/<audio> unless the media server
>> explicitly allows it via the Access Control spec (e.g. by sending the
>> "Access-Control-Allow-Origin: *" header).
>>
> 
> (3) is particularly nasty due to the incentive it creates for insecure
> configuration. We've seen this already with Flash policy files. Many
> administrators uploaded a crossdomain.xml with <allow-access-from
> domain="*"/>, not realising what sort of vulnerability they were opening
> up. It would be a shame to borrow security ideas from possibly the least
> secure client on the web, and to mandate those insecure ideas in browser
> standards.

Please read my posting to the xiph list linked above (specifically 
towards the end when talking about access-control). Access-Control is 
very different from flashs crossdomain.xml in that you can opt in to 
sharing just public data. This means that for every server on the 
internet, it is completely safe to add the header 
"Access-Control-Allow-Origin: *" without risking leaking private data 
that couldn't be fetched using wget already.

/ Jonas





More information about the whatwg mailing list