Jump to content

Security Notes on Remote Embedding

From mediawiki.org

You should always be mindful of including remote javascript on your page.

In order to make the player and inline transcripts available we use remote javascript on the page that embeds the content. This makes remote embedding an excellent tool for powerful mash-ups. See how opencongress styles metavid clips embedded in their site.

But with this power comes responsibility. The MediaWiki software and Wikipedia servers take security very seriously. There are two possible compromise situations 1) a bug in the software exposes execution of non-trusted javascript or 2) The hosting server running mediawiki is compromised resulting in execution of non-trusted javascript. Both these problems result in XSS issues for any site that cross embeds the javascript.

You should take into account these security consideration anytime you embed any javascript based widget into your site.

Solution 0: You are already aware of such issues (not a real solution)

[edit]

You don't have logins on the same server as your content pages,so there are few or no potentially damaging user interactions taking place on your site. Or you still haven't got around to doing a normal xss hole scan on your site,

Solution 1: Use an iframe

[edit]

This solution won't let you style the transcripts or do any secondary javascript based enhancements. Its also can be awkward in page layout. But essentially you include it with an iframe like so:

 <iframe width="405" height="340"
src="http://metavid.org/w/extensions/MetavidWiki/skins/mv_embed/mv_embed_iframe.php?size=320x240&sn=House_proceeding_07-18-06_00&t=1:23:16/1:23:44" />

//@@TODO we should probably make iframe the default setting

Solution 2: Copy the mwEmbed library to your server

[edit]

You can check out a copy of Mv_Embed and use it locally. It will know to remap the video tag and should work fine with the remote content. If you do this you will want to stay current with mv_embed updates that we push out and join the metavid-l developer list. Also you will want to proxy your transcript queries so they are local scrubbed queries instead of javascript injections.