[whatwg] More YouTube response
jharding at google.com
Wed Jul 7 13:54:26 PDT 2010
MySpace is my canonical example - they allow arbitrary SWFs to be embedded
in profiles, but not <iframe>s. Flash added support a while back that
allows containing pages to block SWFs from executing script or accessing the
contents of the page, which MySpace enforces by rewriting the <embed> tag
that users post. Before that, yes, allowing arbitrary SWFs to be posted by
users was a huge security hole.
Regardless, I think we're all agreed on the path forward (Use <iframe>s to
embed content instead of naked <embed> tags) and just need to start moving
on it, and the ball is largely in YouTube's court on this point.
On Fri, Jul 2, 2010 at 6:20 PM, Maciej Stachowiak <mjs at apple.com> wrote:
> On Jul 2, 2010, at 6:04 PM, Maciej Stachowiak wrote:
> > Any site which does that has a giant security hole, since Flash can be
> used to arbitrarily script the embedding page. It's about as safe as
> allowing embedding of arbitrary off-site <script>. If you are aware of sites
> that allow embedding of arbitrary off-site Flash, you should alert them to
> the potential security risks. For example a social network site that allowed
> this would be vulnerable to a self-propagating worm.
> > What I have heard before is that sites whitelist specific SWFs or Flash
> from specific domains. I'm don't have any first-hand knowledge of how sites
> actually do it.
> With testing I found at least one site where I can apparently embed
> arbitrary SWFs. However, this site has per-user domains, so it might be
> relatively safe. This site also allows me to embed arbitrary content in an
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the whatwg