(Difference between revisions)
|
|
| Line 1: |
Line 1: |
| - | You should '''always''' be mindful of including remote javascript on your page.
| + | The Security Notes on Remote Embedding page is now maintained on [http://www.mediawiki.org/wiki/Security_Notes_on_Remote_Embedding mediaWiki] |
| - | | + | |
| - | In order to make the player and inline transcripts available we use remote javascript on the page that embeds the content. This makes remote embedding an excellent tool for powerfull mashups. See how opencongress styles metavid clips [http://metavid.org/blog/2009/03/05/metavid-integration-and-syndication/ embedded in their site].
| + | |
| - | | + | |
| - | But with this power comes responsibility. Here at metavid.org we take security very seriously ... but in the off chance that metavid.org is compromised any site embedding that javascript code will also be in danger of cross site scripting attack. ''You should take into account these security consideration anytime you embed any javascript based widget into your site.''
| + | |
| - | | + | |
| - | == Solution 0: you are already are aware of such issues (not a real solution) ==
| + | |
| - | You don't have logins on the same server as your content pages there are few or no potentially damaging user interactions taking place on your site. Or you still haven't got around to doing a normal xss hole scan on your site in which case you have bigger security concerns.
| + | |
| - | | + | |
| - | == Solution 1: Use an iframe ==
| + | |
| - | This solution won't let you style the transcripts or do any secondary javascript based enhancements. Its also awkward in page layout as you have to give space for transcripts. But essentially you include it with an iframe like so:
| + | |
| - | <pre>
| + | |
| - | <iframe width="405" height="340"
| + | |
| - | src="http://metavid.org/w/extensions/MetavidWiki/skins/mv_embed/mv_embed_iframe.php?size=320x240&sn=House_proceeding_07-18-06_00&t=1:23:16/1:23:44" />
| + | |
| - | </pre>
| + | |
| - | | + | |
| - | == Solution 2: Copy the mv_embed library to your server and proxy transcript requests ==
| + | |
| - | You can check out a copy of [[Mv_Embed]] and use it locally. It will know to remap the video tag and should work fine with the remote content. If you do this you will want to stay current with mv_embed updates that we push out and join the metavid-l developer list. Also you will want to proxy your transcript queries so they are local scrubbed queries instead of javascript injections.
| + | |
Current revision as of 18:14, 19 August 2009
The Security Notes on Remote Embedding page is now maintained on mediaWiki
