type=parameter in your
<embed>markup, what are the security consequences of allowing users to embed third-party Flash movies in their posts when you enforce the appropriate security restrictions on your end (
allowFullScreenall set to
none)? Or, to make things simpler, how about permitting a straightforward video file, with
If you think this is safe, you may want to know that the HTML5 spec has a different view. The specification effectively takes away the ability for any single party to decide how a particular plugin document should be handled by the browser. Under the new algorithm, instead of your funny cat video, you may accidentally end up embedding Java, which has unconditional access to the DOM of the embedding page through DOMService. Whoops, looks like you are owned now.
According to the spec, if your visitor's browser has, say, a Windows Media Player plugin that recognizes the
type=video/x-ms-wmv value on your webpage, that plugin will be used regardless of
Content-Type. This part is intuitive. Alas, if the plugin is not found, the specification compels the software to look at
Content-Type next, giving the hosting party an opportunity to override the intent specified on your end.
To further complicate the picture, in some circumstances, browsers may also ignore both
Content-Type values: for example, Internet Explorer and WebKit browsers will play Flash videos served with
Content-Type: pants/whatever and loaded with
type=certainly/not-flash just because a stray
.swf file extension is spotted somewhere in the URL. The file name signal is problematic, as it can usually be tampered with by whoever provides the URL. This strategy brings a yet another player into the picture, and each party can sabotage the security assurances sought by the rest.
It would be more reasonable to keep the behavior of
<embed> consistent with that of other type-specific subresource tags (e.g.,
<script>), and give control over how the document is rendered to whoever authored the markup. This approach is still not without peril, because it makes it impossible for some sites to indicate that a particular
image/jpeg response is not meant to be interpreted as a malicious applet. But that last problem can be fixed by requiring
type= to match, perhaps through an opt-in mechanism controlled with a new HTTP header. And in any case, the proposed logic does not help.
In the end, the currently specified behavior seems highly counterintuitive, and undoes all the work plugin that vendors such as Adobe or Microsoft put into adding security controls to ensure that their plugin content is reasonably safe to embed across domains that do not fully trust each other.