[whatwg] HTML 5 : The Youtube response

Maciej Stachowiak mjs at apple.com
Wed Jun 30 15:04:17 PDT 2010


On Jun 30, 2010, at 8:30 AM, Tab Atkins Jr. wrote:

> On Wed, Jun 30, 2010 at 8:14 AM, Philip Jägenstedt <philipj at opera.com> wrote:
>> On Wed, 30 Jun 2010 16:31:20 +0200, Tab Atkins Jr. <jackalmage at gmail.com>
>> wrote:
>>> In any case, embedding
>>> videos via <iframe sandbox=allow-scripts> should work fine, once more
>>> browsers support it.
>>> 
>>> ~TJ
>>> 
>> 
>> What issues would there be with simply using <iframe> without sandboxing?
>> What doesn't the cross-origin policy stop?
> 
> Oh, duh.  Sorry, yeah, just pointing the iframe to a different-origin
> resource on youtube.com would work fine.

Embedding an off-site <iframe> without sandboxing would in fact be more secure than embedding an off-site SWF. This is really an ecosystem issue, not a technology issue, as I understand it. Many of the significant video providers have gotten most of the popular blogging sites and sites that accept user-generated content to whitelist their SWFs. They are probably not motivated to do <iframe> embedding until the sites where content would be posted allow it, and the sites that allow posting content have little incentive to allow <iframe> embedding until video providers are offering it.

I think it would help to have a shared recommended approach to this, to break the logjam. Some of us at Apple are planning to talk to various media providers about it.

Regards,
Maciej




More information about the whatwg mailing list