X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/b5e27e60ba38365f3e252df80c2a22503f00eb06..93a42f9cace10752a194df721e9cabf537c69bb1:/doc/todo/finer_control_over___60__object___47____62__s.mdwn

diff --git a/doc/todo/finer_control_over___60__object___47____62__s.mdwn b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
index c37d052db..50c4d43bf 100644
--- a/doc/todo/finer_control_over___60__object___47____62__s.mdwn
+++ b/doc/todo/finer_control_over___60__object___47____62__s.mdwn
@@ -56,6 +56,24 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
 >> (i. e., only *local* and certain `data:` ones for `data` and
 >> `usemap`) should make `object` almost as harmless as, say, `img`.
 
+>>> But with local data, one could not embed youtube videos, which surely
+>>> is the most obvious use case?
+
+>>>> Allowing a “remote” object to render on one's page is a
+     security issue by itself.
+     Though, of course, having an explicit whitelist of URI's may make
+     this issue more tolerable.
+     — [[Ivan_Shmakov]], 2010-03-12Z.
+
+>>> Note that youtube embedding uses an
+>>> object element with no classid. The swf file is provided via an
+>>> enclosed param element. --[[Joey]]
+
+>>>> I've just checked a random video on YouTube and I see that the
+     `.swf` file is provided via an enclosed `embed` element.  Whether
+     to allow those or not is a different issue.
+     — [[Ivan_Shmakov]], 2010-03-12Z.
+
 >> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being
 >> restricted in such a way.)