Last modified: 2009-03-30 22:54:42 UTC
An upcoming build of Firefox will enforce same-origin security policy on <video/> and <audio/> loaded content. [http://www.w3.org/Bugs/Public/show_bug.cgi?id=6104] This will restrict these tags from loading content from domains which differ from the requesting page unless the target server takes affirmative action. Use of the video tag on Wikimedia sites depends on hotlinking, so video will break for Firefox nightly build users. The problem can be avoided by adding a "Access-Control-Allow-Origin: *" header to upload. The tag is specified at http://www.w3.org/TR/access-control/ . I believe the configuration line to add to lighttpd is setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" ) although I have not tested it. There is an ongoing discussion of this on the Theora list (http://lists.xiph.org/pipermail/theora/2008-November/thread.html) in the thread "<video/> and cross site scripting policy." This change will also result in access-control supporting files being able to connect to upload.wikimedia.org using XMLHTTPRequest. This would be a devastating security problem on the other domains, but I do not see a reason why it would be unsafe on upload.wikimedia.org. The Origin: request header should also be ignored by squid for the purpose of caching, but I believe it will be by default. It would be possible to complete the Origin:..allow protocol so that we could deny audio/video tag hotlinking but it would require non-trivial modification of Squid, would only impact <audio/> and <video/> usage, and I do not believe the restriction of hotlinking is considered desirable. I'd prefer to see the change made sooner rather than later to reduce the time <video/> mysteriously fails due to stale cached responses, though I suppose we could purge all Ogg files.
This conflation of same-origin privacy and media embedding is dangerous, insecure and should be resisted. The use of such a system with Flash has already opened up thousands of servers to CSRF vulnerabilities. To extend it to the web browser itself would be a monumental mistake.
This appears to have been canceled? The spec bug entry is marked WONTFIX 'for now' and I don't see a mention of the restriction in current WHATWG work spec. Please re-open with a reference if there's been an update...