[whatwg] Same-origin checking for media elements
Jonas Sicking
jonas at sicking.cc
Wed Nov 12 02:19:44 PST 2008
Maciej Stachowiak wrote:
>
> On Nov 10, 2008, at 6:50 PM, Robert O'Callahan wrote:
>
>> Should <video> and <audio> elements be able to load and play resources
>> from other origins?
>>
>> Perhaps Ian thinks not:
>> http://www.w3.org/Bugs/Public/show_bug.cgi?id=6104
>> There's a to-and-fro discussion here:
>> http://lists.xiph.org/pipermail/theora/2008-November/001931.html
>> Jonas got involved here:
>> http://lists.xiph.org/pipermail/theora/2008-November/001958.html
>>
>> There are three obvious options:
>> 1) Allow unrestricted cross-origin <video>/<audio>
>> 2) Allow cross-origin <video>/<audio> but carefully restrict the API
>> to limit the information a page can get about media loaded from a
>> different origin
>> 3) Disallow cross-origin <video>/<audio> unless the media server
>> explicitly allows it via the Access Control spec (e.g. by sending the
>> "Access-Control-Allow-Origin: *" header).
>
> I'd prefer 1 or 2 (assuming the restrictions assumed by 2 are reasonable).
We're already exposing more on <video> than we are for <img>.
ProgressEvents expose the file size, and there is API to get the
duration of the playtime.
An additional, though rather minor problem, is that implementations will
have to delay the loadstart event until it has confirmed that the
targeted file is in fact a real video file, and has confirmed that with
relatively high level of confidence. Otherwise the size of random HTML
files can be measured using the <video> element.
And that's on top of the things that <img> unfortunately already exposes
such as the image existence and it's on-screen size.
Things are largely mitigated if we don't send cookies (nor other auth
credentials) when doing cross-site <video> requests. Then the only
information that can be leaked is information protected by firewalls.
However I am still concerned with putting wording in the HTML spec
basically saying
# If you are putting a video file, or something that looks a lot like
# it, behind a firewall, the firewall is not going to provide any actual
# security for some of the meta-data about that video. Any website on
# the internet is going to be able to see that videos existance, its
# filesize, its dimensions in pixels and its playtime duration in
# seconds. The only security the firewall is going to provide for
# that data is obscurity, i.e. it is unlikely that any other person
# outside will know the url to that video to fetch that meta data.
Yes, we should say the same thing for images (minus some of the meta
data), but I can't say that I'm thrilled about that since I suspect few
people realize that.
/ Jonas
More information about the whatwg
mailing list