Providing a JavaScript link to embed content

Question

Hey everyone,

I'm writing on behalf of YSTV; we're looking at providing embed options for our videos, and I've got a quick question.

We can obviously provide embed code to users such as

<embed height="360" width="480" flashvars="backcolor=0xffffff&amp;autostart=false&amp;file=http://ystv.york.ac.uk/static/videos.php?file=1040&amp;amp;autoscroll=false&amp;amp;displayheight=360&amp;amp;width=480&amp;amp;height=360&amp;amp;type=video&amp;amp" allowfullscreen="true" quality="high" name="ystvplayer" src="http://ystv.york.ac.uk/static/flash/mediaplayer4.swf" type="application/x-shockwave-flash" />

which is what every (ok, so not every, but the vast majority) video sharing site does (YouTube, Break, Vimeo etc).

However, somebody's pointed out that we could also provide a JavaScript embed link as follows:

<script type="text/javascript" src="http://full.path/to/embed.js"&gt;&lt;/script&gt;

Where embed.js contains

document.write('EMBED_TAG_PROVIDED_ABOVE');

What's the disadvantage of the JS embed option? The advantage is obvious, it's a nicer URL for the user, less characters to place in their site. I'm worried about security here, as somebody who doesn't know JavaScript; is this an inherently insecure way of doing things? And if the JavaScript URL is fine, how come none of the well-known sites do it?

Cheers,

Alex

Answer 1

Noscript (Firefox plugin) could be on, that would block all the JS on the page. Other than that there is not much drawback to it. These days a lot of JS files are pulled off-site for CDN purposes, etc. It's no less secure than any other javascript running.

The downside is that you can't customize as well. Say I wanted to shrink it, or make it bigger. I can't get at the vars with document.write(). I've used this method in the past and it's worked fine for me.

Answer 2

Google uses a similar method for including their Analytics code so if there was a security issue people would have been up in arms about it before.

People using NoScript (should) know what they are doing, so will be able to allow it if they want to view the video. The fact that the JS is from a UK academic domain will probably be favourable to you.

As for customisation, from your above code I see that you serve the videos through a php file which is passed an id. I assume that you would serve the embed.js file in the same way, passing the video id in the URL and re-writing the file server side to produce the correct embed code in the document.write. If so, there is no reason why you can't pass other variables to allow player customisation.