[FFmpeg-devel] [PATCH] Revert "Remove battleforthenet widget"

Jan Ekström jeebjp at gmail.com
Wed Feb 28 21:52:19 EET 2018


On Wed, Feb 28, 2018 at 7:17 PM, Michael Niedermayer
<michael at niedermayer.cc> wrote:
> +    <script src="https://widget.battleforthenet.com/widget.js" async></script>

Please use https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
. That way this third-party entity will only get loaded if the content
matches a known checksum. Even better, host it locally.

(I have not checked if ffmpeg.org loads other sub-resources, but they
should get a similar treatment in general)

Personally, looking at the last year's fiasco of it not remembering
that you had already closed it, as well as showing up after the
"event" I am against this. But if someone thinks this is absolutely
necessary, we should at least take minimal steps to keep sub-resource
contamination at bay.

Best regards,
Jan


More information about the ffmpeg-devel mailing list