Comments on: Video and audio tags and cross origin access

By: jayridge

jayridge — Mon, 10 Nov 2008 23:57:26 +0000

security kills invention. i will accept the risk.

By: AdrenalinMd

AdrenalinMd — Mon, 10 Nov 2008 23:35:18 +0000

That makes HTML5 useless. Flash doesn’t have such a limitation.

By: Kit

Kit — Mon, 10 Nov 2008 23:33:48 +0000

I think the big failure here is that Chris is pointing out the very failure in blocking XS functionality because it’s a never-ending spiral of tags that can be exploited. In order to maintain compatibility with existing sites, though, as Chris mentions, browsers must permit cross-site access to CSS and images.

Video tags won’t ever supplant existing formats (such as FLV) if there’s no way to cross-embed it. Think YouTube.

The better solution is something specific to do with the media itself; some way to explicitly permit embedding. Even if it’s just using the REFERER header at the server end to restrict serving of the file to requesters of the expected domains.

This is a security issue that should be handled by the media servers, not the web browsers.

By: doublec

doublec — Mon, 10 Nov 2008 23:05:23 +0000

AndiSkater, Chris Double is very aware that Firefox and others are open source and can be modified. In fact, Chris Double is not a fan of the access restrictions, even though he blogged about it. It’s my opinion it’ll be a big barrier to adoption of video and audio.

On the other hand I respect jonas and he has given this a lot of thought and I see his points. I don’t know of a good solution.

By: mblaney

mblaney — Mon, 10 Nov 2008 22:03:57 +0000

In other news, the ‘anchor’ tag will also be modified to prevent cross site access. It is currently possible for an attacker to set up a link that redirects the user to ‘attacker.com’ which could be harmful. In future only internal links will be possible.

By: whoisyeco

whoisyeco — Mon, 10 Nov 2008 15:58:29 +0000

Restrictions on video?, the streaming methods and media servers gives solutions enought for this issue…

I agree that some of the videos requires some security but those are only very specific cases.

I don’t think this has to be a front-end issue.

By: AndiSkater

AndiSkater — Mon, 10 Nov 2008 13:32:11 +0000

Restrictions, restrictions, restrictions. That’s what we need, restrictions. It seems everything is about restrictions and security it should enforce, today. I don’t understand why we need this. So the audio and video tags have to be restricted, because else someone could access a video on a non official web site? Has Chris Double ever thought about the fact, that Firefox or Webkit are open source and every person with some programmings skills could compile a version without these restrictions?
Probably the world would be much more secure, if everyone lived in a cage and would never go out. Every time I go shopping, I risk to be pickpocketed. Everytime I drive my car, I risk to have a crash. Should be really give up our freedom for more and more security?

I don’t think so.

By: igitur

igitur — Mon, 10 Nov 2008 12:54:18 +0000

Sorry, I don’t remember why PHP did so well. Would like to have my memory refreshed though…