Thanks for digging into the example sites there! So I looked
further into the two examples you gave, and I think what's
actually going on in both cases is that the <object> also
contains fallback content which is what you're seeing:
For http://sextherapy.ru/, the full <object> looks like this:
<object width="180" height="100"
classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0";>
<param name="allowFullScreen" value="true" />
<param name="allowscriptaccess" value="always" />
<param name="src"
value="//www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0
<http://www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0>"
/>
<param name="allowfullscreen" value="true" />
<embed width="180" height="100"
type="application/x-shockwave-flash"
src="//www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0
<http://www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0>"
allowFullScreen="true" allowscriptaccess="always"
allowfullscreen="true" />
</object>
The <param>s in this example aren't actually doing anything - you
can remove them and still see the video, since it's provided by
the fallback <embed>. It looks like those params were maybe meant
to talk to an SWF object?
Similarly, for https://jackrussell.forumattivo.com/, the <object>
is this:
<object width="560" height="340">
<param name="movie"
value="https://www.youtube.com/v/_ikcScPyKUQ&hl=it&fs=1&;
<https://www.youtube.com/v/_ikcScPyKUQ&hl=it&fs=1&;>"></param>
<param name="allowFullScreen" value="true"></param>
<param name="allowscriptaccess" value="always"></param>
<iframe width="560" height="315"
src="https://www.youtube.com/embed/_ikcScPyKUQ";
frameborder="0" allowfullscreen=""></iframe>
</object>
Again, the <param>s aren't doing anything here, and the fallback
<iframe> contains the "real" content.
I also confirmed that with the proposed behavior disabled (i.e.
<param>s can't provide URLs), both example sites still work.
I'm happy to look further into other such examples if you like,
but I think these two examples should be "ok".
Again, thanks for taking a look!
Thanks,
Mason
On Fri, Apr 15, 2022 at 11:06 AM Mike Taylor
<[email protected]> wrote:
On 4/13/22 12:48 PM, Mason Freed wrote:
Contact emails
[email protected]
Explainer
https://github.com/whatwg/html/pull/7816
https://github.com/whatwg/html/issues/6003
Specification
https://github.com/whatwg/html/pull/7816
Summary
The <param> element can be used to specify parameters such
as a URL (via params named "movie", "src", "code", "data",
or "url") to a containing <object> element. Given the
removal of plugins from the web platform, and the relative
lack of use of this particular functionality, we would like
to deprecate and remove it.
Blink component
Blink
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink>
Motivation
Given that plugins are gone from the web platform (with
their full removal from the spec being tracked in
https://github.com/whatwg/html/issues/6003), it is not
useful. In some browsers it can be used to figure out the
URL of an <object>, even when that <object> is not being
used for a plugin, via params named "movie", "src", "code",
"data", or "url". But we decided to remove this behavior
from browsers instead of specifying it. This retains the
HTMLParamElement interface, as well as the parser behavior
of <param>.
Initial public proposal
Search tags
<param>
<https://chromestatus.com/features#tags:%3Cparam%3E>,
<object> <https://chromestatus.com/features#tags:%3Cobject%3E>
TAG review
TAG review status
Not applicable
Risks
Interoperability and Compatibility
Gecko: Shipped/Shipping
(https://github.com/whatwg/html/issues/387#issuecomment-1088331300)
Issue was initially raised by Mozilla, and Gecko already
does not process param at all.
WebKit: No signal
(https://bugs.webkit.org/show_bug.cgi?id=239188) No response
on the bug yet.
Web developers: No signals
Other signals:
Ergonomics
Since this is a deprecation, there is a Web Compat risk. I
added use counters for the situations that will be affected:
- <param> that specifies a URL, inside an <object> that
doesn't: 0.04%,
https://chromestatus.com/metrics/feature/timeline/popularity/4010
- As above, but URL successfully resolves to a (supported)
PDF resource: 0.00002%,
https://chromestatus.com/metrics/feature/timeline/popularity/4110
- As above, but URL successfully resolves to an
(unsupported) non-PDF resource: not measurable,
https://chromestatus.com/metrics/feature/timeline/popularity/4111
So the vast majority (99.95%) of <param> URL usage appears
to point to invalid resources - likely mostly Flash. A very
small percentage (0.05% of <param>-with-URL usage, 0.00002%
of web page loads) are likely to break when we deprecate
this functionality.
I clicked on the first 20 results from
https://chromestatus.com/metrics/feature/timeline/popularity/4010
(careful, 1 is NSFW), and 18 contain busted SWFs. But two of
them are embedding youtube videos via <param>:
https://jackrussell.forumattivo.com/ has an <object> that has
a child param name="movie"
value="https://www.youtube.com/v/_ikcScPyKUQ&hl=it&fs=1&";
<https://www.youtube.com/v/_ikcScPyKUQ&hl=it&fs=1&;>>.
http://sextherapy.ru/ (SFW-ish, at least on the
homepage)<param name="src"
value="//www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0
<http://www.youtube.com/v/7wQYLXBX2RQ?version=3&hl=ru_RU&rel=0>"
/>
I had no idea that was possible - can we dig in some more to
see how many params have a value with "youtube.com
<http://youtube.com>", to see if I got lucky and found the
only 2, or if a lot of sites are relying on this behavior?
WebView Application Risks
Does this intent deprecate or change behavior of existing
APIs, such that it has potentially high risk for Android
WebView-based applications?
Debuggability
Deprecation.
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?
Yes
Flag name
Requires code in //chrome?
False
Tracking bug
https://crbug.com/1315717
Estimated milestones
No milestones specified
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6283184588193792
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDhXTo%3Dg3scg7KF8g%3Dn5a4rA%3D6UD5cAxTBn9HetnAO%2BJ-A%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM%3DNeDhXTo%3Dg3scg7KF8g%3Dn5a4rA%3D6UD5cAxTBn9HetnAO%2BJ-A%40mail.gmail.com?utm_medium=email&utm_source=footer>.
