X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/b5e27e60ba38365f3e252df80c2a22503f00eb06..1d3b2674c87c9cac395228dac9b60c751d4e06a1:/doc/todo/finer_control_over___60__object___47____62__s.mdwn diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn index c37d052db..50c4d43bf 100644 --- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn +++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn @@ -56,6 +56,24 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by >> (i. e., only *local* and certain `data:` ones for `data` and >> `usemap`) should make `object` almost as harmless as, say, `img`. +>>> But with local data, one could not embed youtube videos, which surely +>>> is the most obvious use case? + +>>>> Allowing a “remote” object to render on one's page is a + security issue by itself. + Though, of course, having an explicit whitelist of URI's may make + this issue more tolerable. + — [[Ivan_Shmakov]], 2010-03-12Z. + +>>> Note that youtube embedding uses an +>>> object element with no classid. The swf file is provided via an +>>> enclosed param element. --[[Joey]] + +>>>> I've just checked a random video on YouTube and I see that the + `.swf` file is provided via an enclosed `embed` element. Whether + to allow those or not is a different issue. + — [[Ivan_Shmakov]], 2010-03-12Z. + >> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being >> restricted in such a way.)