[whatwg] More YouTube response
mjs at apple.com
Fri Jul 2 18:20:04 PDT 2010
On Jul 2, 2010, at 6:04 PM, Maciej Stachowiak wrote:
> Any site which does that has a giant security hole, since Flash can be used to arbitrarily script the embedding page. It's about as safe as allowing embedding of arbitrary off-site <script>. If you are aware of sites that allow embedding of arbitrary off-site Flash, you should alert them to the potential security risks. For example a social network site that allowed this would be vulnerable to a self-propagating worm.
> What I have heard before is that sites whitelist specific SWFs or Flash from specific domains. I'm don't have any first-hand knowledge of how sites actually do it.
With testing I found at least one site where I can apparently embed arbitrary SWFs. However, this site has per-user domains, so it might be relatively safe. This site also allows me to embed arbitrary content in an <iframe>.
More information about the whatwg