As you may know, Pagedown is a pretty nice and simple editor, but I want to extend its functionality. So far I have succeeded in doing so regarding to embedding videos, so after adding a video, you can see it in the preview window. Obviously, I had to include an iframe to allow such behavior, however, I’m a bit concerned about it security-wise.
Can you tell me what kind of dangers are lurking behind this use of iframe?. Obviously, the only purpose is to allow users to see the way his/her post would look like, so this is client-side only, but you never know when using frames.
For instance, would it be ok if I allow videos only from some domains (YouTube) or even that exposes a security vulnerability?
By the way, Google Chrome gives me this cute warning:
Unsafe JavaScript attempt to access frame with URL
file:///somethinglocaladdress from
frame with URL http://www.someaddress.com. Domains,
protocols and ports must match.
Is this something (the Google Chrome warning) I should be concerned?.
UPDATE: Notice my comment to phpgeek. It seems I’m covering his suggestions, but I’d like to get more answers to be sure I’m doing this right.
Thanks!
I don’t think this is something you need to be too concerned about.
Regarding security- Google actually did a pretty good job at explaining it here: http://blog.chromium.org/2008/12/security-in-depth-local-web-pages.html
Google also does outline how most other browser handle the iframe security there (at least for the older versions).
Other than that, if your question mainly relates to security vulnerabilities relating to your server, I don’t think that this poses an issue.
You may also be interested in checking this page out: http://code.google.com/p/browsersec/wiki/Part2#Origin_inheritance_rules