10

Update: This question is no longer valid. See comment below.

  1. YouTube embedding is done using iframes nowadays.
  2. HTML5 introduces the seamless attribute, that not only should affect presentation, but make the integration with the host page tighter. (It should not be announced to screen readers as a separate document.)
  3. HTML5 introduces the sandbox attribute, that restricts the iframe and thus improves security.

In a world where browser support for these 2 attributes is complete, will they benefit or in any way adversely affect the page, when embedding YouTube videos? (Yes, the last half of the question is primarily about seamless.)

I am thinking about recommending my students to always use these 2 attributes for YouTube videos and benefit automatically as browser support becomes available.

itpastorn
  • 2,935
  • 1
  • 22
  • 24
  • I'll make one sub-question more specific: Will a movie playing in a sandboxed iframe be able to render full screen? I think the documentation is ambiguous. – itpastorn Apr 27 '12 at 21:04
  • I'll add a link to Bugzilla @ Mozilla for reference: https://bugzilla.mozilla.org/show_bug.cgi?id=341604 – itpastorn May 06 '12 at 11:52
  • Mozilla sandbox implemantation notes: https://wiki.mozilla.org/Features/Platform/Iframe_Sandbox – itpastorn May 06 '12 at 11:53
  • Yet a link: [The Webkit bug about the seamless attribute for iframes](https://bugs.webkit.org/show_bug.cgi?id=45950) – itpastorn May 08 '12 at 19:30
  • The seamless attribute no longer exists. See https://stackoverflow.com/questions/4804604/html5-iframe-seamless-attribute/5632609#5632609 – Michael Freidgeim Sep 24 '19 at 22:10

2 Answers2

6

I'll focus on just discussing the sandbox attribute.

To play YouTube videos in a sandbox you need to do the following:

  1. Add sandbox="allow-scripts allow-same-origin"
  2. Add ?html5=1 to the video URL

A problem with #1 is that Flash will not be loaded; whether Flash is required depends on a few things, such as the end-user's browser, their YouTube settings or when a video is simply not available as an HTML5 video (this is worsened by #2).

Another (more serious) problem with #1 is that the combination of allow-scripts and allow-same-origin effectively removes any security benefit you would have otherwise enjoyed.

Conclusion

Forget about using the sandbox attribute for YouTube video embedding.

Further reading

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
  • #1: HTML5 is now used by default, old browsers which still need flash don't understand the sandbox attribute. #2: It still prevents top navigation. – Gustavo Rodrigues Jul 21 '14 at 14:09
  • @GustavoRodrigues You missed my point about "a video simply not being available as an HTML5 video"; although not all security benefits are removed, they are pretty significant either way. – Ja͢ck Jul 21 '14 at 14:17
  • Well, if even the simplest permission (`allow-scripts`) is too harmful and I don't know any good website which will use `allow-forms` without using scripts then sandbox [is really a bad idea](http://homakov.blogspot.com/2013/04/html5-sandbox-bad-idea.html). *(But you're right... I just got here trying to find why YT wasn't working)*. – Gustavo Rodrigues Jul 21 '14 at 17:58
  • 1
    It's more the `allow-same-origin` that's a bit scary for me :) – Ja͢ck Jul 21 '14 at 23:23
  • The sandbox attribute is still useful for disabling a variety of APIs. The "allow-same-origin" attribute doesn't grant access to the page's origin, it only grants access to youtube's origin. – shadow-light Nov 12 '21 at 07:31
0

No, fullscreen does not seem to work with both attributes enabled, if you are in the HTML5 beta check an example here: http://bcmoney-mobiletv.com/view/2133/monty-python-tax-sketch/

However, when I leave the HTML5 beta program it plays back in the standard YouTube Flash player, which ignores those iFrame attributes completely.

So, it really depends what your goals are. If you want added security and an experience that feels more like an in-page web video that is controlled by your page, go ahead and use those attributes, however, if you want to give the user a full range of controls and options, leave off sandbox and/or seamless.

bcmoney
  • 2,889
  • 1
  • 24
  • 30
  • Thanks. I will give you the bounty. It seems, however, that some further investigation is needed, for which I do not have the time right now. I will update this question when it's done. – itpastorn May 05 '12 at 11:42
  • I have begun making [an in depth test](http://keryx.se/dev/html5/sandboxed-seamless-youtube-test.html) In my preliminary tests full screen is not available regardless of any attributes. – itpastorn May 07 '12 at 20:20
  • Wow, looks good... actually using that I just noticed that even when in the HTML5 Beta and not using "seamless" or "sandbox" you can't open embedded videos in fullscreen, only videos on the YouTube site... so it would seem these attributes currently are ignored by the YouTube player. – bcmoney May 08 '12 at 16:59