1

Topic: Flinging from wikis, blogs, email, tweets, and discussion posts.

Wouldn't it be nice if I could post a fling link into my blog so that my friends can fling the video to their TVs?  Or put a URL in an email and when my friend clinks on the link in his mail reader, the video is flung to the TV in his network?

The current fling uses an iframe.  Unfortunately users often cannot place iframes into a wiki, blog, visitor discussion post or any system that relies on a restrictive content management system.  Certainly an iframe kills the ability to tweet flings.

We use an iframe because the iframe acts as a trusted intermediary.  The iframe is loaded from our infrastructure and we can be sure that our own code won't fling to the TV (or other connected device) until the user actually clicks on the fling button.

So why is this a big deal?  Consider if the http://flingo.tv/fling/fling call were not restricted.   Website owner Spammy could put the following tag in his web page http://example.com/foo:

 <IMG SRC="http://flingo.tv/fling/fling?url=SPAM&description=Ha+Ha+Ha"></IMG>

When unsuspecting Alice visits http://example.com/foo, as the web page foo downloads it tries to load the faux "image" at URI http://flingo.tv/fling/fling.

A solution that does not introduce inordinate amounts of spam is to allow a fling from a hyperlink but introduce an additional confirmation step.  For example, we could introduce a new function to the fling APIs:

  http://flingo.tv/fling/link?url=U&...

A web site owner then puts this link in an A link or a FORM, e.g.,

  <A href="http://flingo.tv/fling/link?url=U&...">Fling this to your TV! </A>

When the user clicks on this link, flingo.tv returns a web page that includes an HTML FORM in which the user confirms or denies the fling.  In other words, the confirmation web page returned from flingo.tv acts as the trusted intermediary.

Now if Spammy tries to use this link by putting it in the IMG tag, flingo.tv returns a confirmation dialog that the browser cannot render as an image and the fling fails. Requiring a confirmation step also breaks cross site scripting attacks based on the <script>, <frame> and <iframe> tags.

The only drawback of this technique is that it does not enable flinging with a single click, but being able to post a fling link in any wiki, blog, or tweet seems like a worthy enough advantage to justify the tradeoff.

--Dave

2

Re: Flinging from wikis, blogs, email, tweets, and discussion posts.

Wouldn't it be nice if I could post a fling link into my blog so that my friends can fling the video to their TVs?  Or put a URL in an email and when my friend clinks on the link in his mail reader, the video is flung to the TV in his network?

I implemented this.  See http://forum.flingo.org/viewtopic.php?id=54.  However, rather than link I used the shorter name a where a refers to the HTML anchor tag.  This follows the naming convention established by the iframe call.

--Dave Harrison