« UI opportunities | Main | ... but Director does »

December 07, 2006

YouTube, crossdomain

YouTube, crossdomain: Abdual Qabiz noticed earlier today that YouTube's cross-domain policy file has changed from open access to YouTube-only access. (Background: Flash, JavaScript, and other clientside technology cannot usually call out to any arbitrary address, because it can run behind a firewall and may access otherwise-private servers... Flash offers servers the ability to respond to requests from content hosted at other servers through use of a policy file.) I left a comment at Abdul's blog but it has been held for approval, but it's middle-of-the-night there, and other people are affected by the change too, so I'm bumping the issue up here in my blog. I have no info on this yet but Adobe staff are in pursuit of the issue... the issue isn't being ignored; it's just not resolved yet. Personally speaking, I suspect that this was a sudden situation where they needed a quick fix, and so the drastic path of allowing no info requests from clients running software from non-YouTube sites was chosen... I know there have been strange spikes in global video traffic lately, and suspect things will get squared away quickly... the YouTube blog or Developer Resources may be the best place to find out what's actually going on. Anyway, that's what I've got, as little as it is... I'm only posting this to cut down the wonder on whether the issue was heard or not. In process, no result yet, sorry.

Posted by JohnDowdell at December 7, 2006 02:52 PM

Trackback Pings

TrackBack URL for this entry:
http://weblogs.macromedia.com/mtadmin/mt-tb.cgi/8124

Comments

Thanks John for the update. I emailed youtube support but haven't received an answer yet either.

Posted by: Dominick at December 7, 2006 08:08 PM

Perhaps the change is related to this concern with crossdomain.xml:

http://blog.monstuff.com/archives/000302.html#more

If so, then hopefully they are just moving the calls and crossdomain.xml to a subdirectory.

Posted by: Brian Deitte at December 8, 2006 11:04 AM

Hi John,

This issue is most likely the result of a security vulnerability in YouTube that I discovered and wrote about here:

http://shiflett.org/archive/263

In fact, it's not just a vulnerability in YouTube but a new attack vector enabled by open crossdomain.xml policies. I have discovered this vulnerability in sites like Flickr as well.

For the record, Adobe.com is still vulnerable.

[jd sez: I'll wait for stakeholders to weigh in, rather than hypothesize myself.]

Posted by: Chris Shiflett at December 19, 2006 11:20 PM