[whatwg] More YouTube response

John Harding jharding at google.com
Wed Jul 7 13:54:26 PDT 2010

MySpace is my canonical example - they allow arbitrary SWFs to be embedded
in profiles, but not <iframe>s.  Flash added support a while back that
allows containing pages to block SWFs from executing script or accessing the
contents of the page, which MySpace enforces by rewriting the <embed> tag
that users post.  Before that, yes, allowing arbitrary SWFs to be posted by
users was a huge security hole.

Regardless, I think we're all agreed on the path forward (Use <iframe>s to
embed content instead of naked <embed> tags) and just need to start moving
on it, and the ball is largely in YouTube's court on this point.


On Fri, Jul 2, 2010 at 6:20 PM, Maciej Stachowiak <mjs at apple.com> wrote:

> On Jul 2, 2010, at 6:04 PM, Maciej Stachowiak wrote:
> >
> > Any site which does that has a giant security hole, since Flash can be
> used to arbitrarily script the embedding page. It's about as safe as
> allowing embedding of arbitrary off-site <script>. If you are aware of sites
> that allow embedding of arbitrary off-site Flash, you should alert them to
> the potential security risks. For example a social network site that allowed
> this would be vulnerable to a self-propagating worm.
> >
> > What I have heard before is that sites whitelist specific SWFs or Flash
> from specific domains. I'm don't have any first-hand knowledge of how sites
> actually do it.
> With testing I found at least one site where I can apparently embed
> arbitrary SWFs. However, this site has per-user domains, so it might be
> relatively safe. This site also allows me to embed arbitrary content in an
> <iframe>.
> Regards,
> Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100707/4fc8dfb1/attachment-0002.htm>

More information about the whatwg mailing list