[Gehinnn]

What do you mean "video file that I'm perfectly willing to play in my browser". Isn't it safe to assume that no video file can escape the browser decoding sandbox?

[thaumasiotes]

> Isn't it safe to assume that no video file can escape the browser decoding sandbox?

Why would that be safe to assume? If that were a reasonable assumption, you could just as well assume that it's safe to run ffmpeg.

[Denvercoder9]

I'm not up-to-speed with the current state of sandboxing in browsers, but in principle it's (on modern operating systems) not especially hard for them to sandbox the decoding into a separate process with basically no privileges beyond rendering a video stream. It's a bit trickier if we're only considering demuxing and delegating decoding to the hardware, but that's a much smaller attack surface.

A manually run ffmpeg on the command line does nothing to restrict its privileges, and its security model has very little interest in doing so, while browsers very much have.

[lostglass]

Yeah, then you need to stream content in real time between multiple processes. And not screw up the licensing.

And get hardware acceleration working...

[ttoinou]

The parent does argues it is safer to sandbox ffmpeg yes

[kjs3]

Isn't it safe to assume that no video file can escape the browser decoding sandbox?

It's 'safe to assume' it's not. It's emphatically not safe to assume any mitigation is perfect.

[preg_match]

No, browsers have had many sandbox escape exploits related to decoding.