Thanks for digging into the example sites there! So I looked further
into the two examples you gave, and I think what's actually going on
in both cases is that the <object> also contains fallback content
which is what you're seeing:
For http://sextherapy.ru/, the full <object> looks like this:
<object width="180" height="100"
classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0";>
<param name="allowFullScreen" value="true" />
<param name="allowscriptaccess" value="always" />
<param name="src"
value="//www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0
<http://www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0>"
/>
<param name="allowfullscreen" value="true" />
<embed width="180" height="100" type="application/x-shockwave-flash"
src="//www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0
<http://www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0>"
allowFullScreen="true" allowscriptaccess="always"
allowfullscreen="true" />
</object>
The <param>s in this example aren't actually doing anything - you can
remove them and still see the video, since it's provided by the
fallback <embed>. It looks like those params were maybe meant to talk
to an SWF object?
Similarly, for https://jackrussell.forumattivo.com/, the <object> is this:
<object width="560" height="340">
<param name="movie"
value="https://www.youtube.com/v/_ikcScPyKUQ&hl=it&fs=1&;
<https://www.youtube.com/v/_ikcScPyKUQ&hl=it&fs=1&;>"></param>
<param name="allowFullScreen" value="true"></param>
<param name="allowscriptaccess" value="always"></param>
<iframe width="560" height="315"
src="https://www.youtube.com/embed/_ikcScPyKUQ";
frameborder="0" allowfullscreen=""></iframe>
</object>
Again, the <param>s aren't doing anything here, and the fallback
<iframe> contains the "real" content.
I also confirmed that with the proposed behavior disabled (i.e.
<param>s can't provide URLs), both example sites still work.
I'm happy to look further into other such examples if you like, but I
think these two examples should be "ok".
Again, thanks for taking a look!
Thanks,
Mason
On Fri, Apr 15, 2022 at 11:06 AM Mike Taylor <miketa...@chromium.org>
wrote:
On 4/13/22 12:48 PM, Mason Freed wrote:
Contact emails
mas...@chromium.org
Explainer
https://github.com/whatwg/html/pull/7816
https://github.com/whatwg/html/issues/6003
Specification
https://github.com/whatwg/html/pull/7816
Summary
The <param> element can be used to specify parameters such as a
URL (via params named "movie", "src", "code", "data", or "url")
to a containing <object> element. Given the removal of plugins
from the web platform, and the relative lack of use of this
particular functionality, we would like to deprecate and remove it.
Blink component
Blink
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink>
Motivation
Given that plugins are gone from the web platform (with their
full removal from the spec being tracked in
https://github.com/whatwg/html/issues/6003), it is not useful. In
some browsers it can be used to figure out the URL of an
<object>, even when that <object> is not being used for a plugin,
via params named "movie", "src", "code", "data", or "url". But we
decided to remove this behavior from browsers instead of
specifying it. This retains the HTMLParamElement interface, as
well as the parser behavior of <param>.
Initial public proposal
Search tags
<param> <https://chromestatus.com/features#tags:%3Cparam%3E>,
<object> <https://chromestatus.com/features#tags:%3Cobject%3E>
TAG review
TAG review status
Not applicable
Risks
Interoperability and Compatibility
Gecko: Shipped/Shipping
(https://github.com/whatwg/html/issues/387#issuecomment-1088331300)
Issue was initially raised by Mozilla, and Gecko already does not
process param at all.
WebKit: No signal
(https://bugs.webkit.org/show_bug.cgi?id=239188) No response on
the bug yet.
Web developers: No signals
Other signals:
Ergonomics
Since this is a deprecation, there is a Web Compat risk. I added
use counters for the situations that will be affected: - <param>
that specifies a URL, inside an <object> that doesn't: 0.04%,
https://chromestatus.com/metrics/feature/timeline/popularity/4010
- As above, but URL successfully resolves to a (supported) PDF
resource: 0.00002%,
https://chromestatus.com/metrics/feature/timeline/popularity/4110
- As above, but URL successfully resolves to an (unsupported)
non-PDF resource: not measurable,
https://chromestatus.com/metrics/feature/timeline/popularity/4111
So the vast majority (99.95%) of <param> URL usage appears to
point to invalid resources - likely mostly Flash. A very small
percentage (0.05% of <param>-with-URL usage, 0.00002% of web page
loads) are likely to break when we deprecate this functionality.
I clicked on the first 20 results from
https://chromestatus.com/metrics/feature/timeline/popularity/4010
(careful, 1 is NSFW), and 18 contain busted SWFs. But two of them
are embedding youtube videos via <param>:
https://jackrussell.forumattivo.com/ has an <object> that has a
child param name="movie"
value="https://www.youtube.com/v/_ikcScPyKUQ&hl=it&fs=1&";
<https://www.youtube.com/v/_ikcScPyKUQ&hl=it&fs=1&;>>.
http://sextherapy.ru/ (SFW-ish, at least on the homepage)<param
name="src"
value="//www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0
<http://www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0>"
/>
I had no idea that was possible - can we dig in some more to see
how many params have a value with "youtube.com
<http://youtube.com>", to see if I got lucky and found the only 2,
or if a lot of sites are relying on this behavior?
WebView Application Risks
Does this intent deprecate or change behavior of existing APIs,
such that it has potentially high risk for Android WebView-based
applications?
Debuggability
Deprecation.
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?
Yes
Flag name
Requires code in //chrome?
False
Tracking bug
https://crbug.com/1315717
Estimated milestones
No milestones specified
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6283184588193792
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDhXTo%3Dg3scg7KF8g%3Dn5a4rA%3D6UD5cAxTBn9HetnAO%2BJ-A%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDhXTo%3Dg3scg7KF8g%3Dn5a4rA%3D6UD5cAxTBn9HetnAO%2BJ-A%40mail.gmail.com?utm_medium=email&utm_source=footer>.
