Re: [whatwg] Redirect handling for audio video

[Philip Jägenstedt]

On Thu, 03 Mar 2011 22:15:58 +0100, Aaron Colwell acolw...@google.com  
wrote:



Hi,

I was looking at the resource fetch
algorithmhttp://www.whatwg.org/specs/web-apps/current-work/multipage/video.html#concept-media-load-resourcesection
and fetching
resources  
http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#fetch

sections of the HTML5 spec to determine what the proper behavior is for
handling
redirects. Both YouTube and Vimeo do 302 redirects to different hostnames
from
the URLs specified in the src attribute. It looks like the spec says that
playback should fail in these cases because they are from different
origins (Section 2.7 Fetching resources bullet 7). This leads me to a few
questions.

1. Is my interpretation of the spec correct? Sample YouTube  Vimeo URLs  
are

   shown below.
   YouTube : src  : http://v22.lscache6.c.youtube.com/videoplayback?  
...

 redirect : http://tc.v22.cache6.c.youtube.com/videoplayback?
...

   Vimeo   : src  : http://player.vimeo.com/play_redirect? ...
 redirect : http://av.vimeo.com/05 ...


Yes, from what I can tell you're correct, but I think it's not  
intentional. The behavior was changed by http://html5.org/r/5111 in  
2010-06-25, and this is the first time I've noticed it. Opera (and I  
assume most if not all other browsers) already supports HTTP redirects for  
video and I don't think it makes much sense to disallow it. For security  
purposes, the origin of the resource is considered to be the final  
destination, not any of the origins in the redirect chain.



2. What about http: - https: redirects? Some content is required to be
delivered
   only via https and this sort of redirect enforces that but isn't  
really a

different origin.


Quoting  
http://tools.ietf.org/html/draft-abarth-principles-of-origin-00#section-3:


two URLs are part of the same origin (i.e., represent the same principal)  
if they have the same scheme, host, and port


Since both the scheme (http vs https) and port (80 vs 443) would be  
different, it's considered a different origin.



3. If my interpretation of the spec is correct, are there proposals to
change this
   or other specs that allow content providers to signal that these
different hostnames
   actually represent the same origin.


I think the force same-origin flag introduced by http://html5.org/r/5111  
should be removed from the resource fetch algorithm, but the http vs https  
origin issue is not something that can really be changed.


--
Philip Jägenstedt
Core Developer
Opera Software

[whatwg] Redirect handling for audio video

[Aaron Colwell]

Hi,

I was looking at the resource fetch
algorithmhttp://www.whatwg.org/specs/web-apps/current-work/multipage/video.html#concept-media-load-resourcesection
and fetching
resources 
http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#fetch
sections of the HTML5 spec to determine what the proper behavior is for
handling
redirects. Both YouTube and Vimeo do 302 redirects to different hostnames
from
the URLs specified in the src attribute. It looks like the spec says that
playback should fail in these cases because they are from different
origins (Section 2.7 Fetching resources bullet 7). This leads me to a few
questions.

1. Is my interpretation of the spec correct? Sample YouTube  Vimeo URLs are
   shown below.
   YouTube : src  : http://v22.lscache6.c.youtube.com/videoplayback? ...
 redirect : http://tc.v22.cache6.c.youtube.com/videoplayback?
...

   Vimeo   : src  : http://player.vimeo.com/play_redirect? ...
 redirect : http://av.vimeo.com/05 ...

2. What about http: - https: redirects? Some content is required to be
delivered
   only via https and this sort of redirect enforces that but isn't really a
different origin.

3. If my interpretation of the spec is correct, are there proposals to
change this
   or other specs that allow content providers to signal that these
different hostnames
   actually represent the same origin.

Thanks for your help,
Aaron