by Rachael » Thu Jun 06, 2019 11:22 pm
What Caligari is proposing is something that points to a fixed site, which is far less prone to abuse.
I still don't know how I feel about the site, itself, though. I have no experience with how they accept/reject file types and what it would mean if I was to point an <iframe> there like with Youtube.
The thing with <iframe>s and <object>s and <media>s is some browsers essentially treat them as essentially the same thing, which means one thing can be loaded as another. And one thing I learned in my data security classes is <iframe>s are by far the easiest attack vector for a malicious site to take over a page. While, technically, they're not supposed to allow that - why risk it? Browsers these days have vulnerabilities like swiss cheese in them - there's no need to help the attacker along in these fronts.
What Caligari is proposing is something that points to a fixed site, which is far less prone to abuse.
I still don't know how I feel about the site, itself, though. I have no experience with how they accept/reject file types and what it would mean if I was to point an <iframe> there like with Youtube.
The thing with <iframe>s and <object>s and <media>s is some browsers essentially treat them as essentially the same thing, which means one thing can be loaded as another. And one thing I learned in my data security classes is <iframe>s are by far the easiest attack vector for a malicious site to take over a page. While, technically, they're not supposed to allow that - why risk it? Browsers these days have vulnerabilities like swiss cheese in them - there's no need to help the attacker along in these fronts.