[HTTPS-E Rulesets] YouTube rule and embedded video
Seth David Schoen
schoen at eff.org
Sun May 8 16:03:59 PDT 2011
Osama Khalid writes:
> On Fri, May 06, 2011 at 03:58:03PM -0700, Seth David Schoen wrote:
> > I went to Boing Boing to look at some embeded YouTube videos and the
> > first one on the page failed, while the second and third ones
> > worked. Looking at Boing Boing's HTML, the method used to embed
> > them was quite different. The one that failed is
>
> After some debugging, I manged to get it to work with the following
> exclusion:
>
> <exclusion pattern="^http://(www\.)?youtube\.com/crossdomain\.xml"/>
>
> I don't really know what's the difference between the encrypted and
> unencrypted versions of crossdomain.xml and the md5 sums were even
> identical.
That's fascinating! I should probably talk with someone at YouTube or
Adobe to find out if this introduces any vulnerability, because
crossdomain.xml is the cross-domain policy for Adobe Flash Player.
--
Seth Schoen
Senior Staff Technologist schoen at eff.org
Electronic Frontier Foundation https://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-Everywhere-Rules
mailing list