[whatwg] HTML 5 : The Youtube response
mjs at apple.com
Wed Jun 30 15:04:17 PDT 2010
On Jun 30, 2010, at 8:30 AM, Tab Atkins Jr. wrote:
> On Wed, Jun 30, 2010 at 8:14 AM, Philip Jägenstedt <philipj at opera.com> wrote:
>> On Wed, 30 Jun 2010 16:31:20 +0200, Tab Atkins Jr. <jackalmage at gmail.com>
>>> In any case, embedding
>>> videos via <iframe sandbox=allow-scripts> should work fine, once more
>>> browsers support it.
>> What issues would there be with simply using <iframe> without sandboxing?
>> What doesn't the cross-origin policy stop?
> Oh, duh. Sorry, yeah, just pointing the iframe to a different-origin
> resource on youtube.com would work fine.
Embedding an off-site <iframe> without sandboxing would in fact be more secure than embedding an off-site SWF. This is really an ecosystem issue, not a technology issue, as I understand it. Many of the significant video providers have gotten most of the popular blogging sites and sites that accept user-generated content to whitelist their SWFs. They are probably not motivated to do <iframe> embedding until the sites where content would be posted allow it, and the sites that allow posting content have little incentive to allow <iframe> embedding until video providers are offering it.
I think it would help to have a shared recommended approach to this, to break the logjam. Some of us at Apple are planning to talk to various media providers about it.
More information about the whatwg