[whatwg] More YouTube response
mjs at apple.com
Fri Jul 2 18:04:54 PDT 2010
On Jul 2, 2010, at 12:09 PM, John Harding wrote:
> On Thu, Jul 1, 2010 at 9:16 PM, Aryeh Gregor <Simetrical+w3c at gmail.com> wrote:
> > As several people pointed out (and which I tried to get at in my post), this
> > is really an ecosystem issue rather than a change needed in the spec or in
> > browsers. I suspect it's going to take some time, but the flexibility of
> > embedding content via <iframe> will be a big step forward.
> Wouldn't it be straightforward for YouTube to offer <iframe> support
> right now, in addition to <object>? The backend support should be
> simple to do. If you keep the <object> code as the default embed
> recommendation and hide the <iframe> embed code somewhere so people
> will only use it if they look for it, you won't risk confusing anyone.
> Sites that currently whitelist <object> from YouTube will eventually
> whitelist <iframe> from YouTube too -- I hope there aren't many sites
> that permit *arbitrary* <object>s to be inserted by untrusted users.
> Allowing <iframe> will have other benefits, like allowing fallback
> "install Flash" content (currently omitted from the <object> code, I
> assume to keep the size down).
> Yes, it's pretty straightforward to offer <iframe>-based embed code, but it needs to be coupled with getting sites to accept them, or we end up with a lot of confused, unhappy users. Note that sites don't generally whitelist specific SWFs - they generally allow all Flash embeds.
Any site which does that has a giant security hole, since Flash can be used to arbitrarily script the embedding page. It's about as safe as allowing embedding of arbitrary off-site <script>. If you are aware of sites that allow embedding of arbitrary off-site Flash, you should alert them to the potential security risks. For example a social network site that allowed this would be vulnerable to a self-propagating worm.
What I have heard before is that sites whitelist specific SWFs or Flash from specific domains. I'm don't have any first-hand knowledge of how sites actually do it.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the whatwg