On Wed, Feb 28, 2018 at 7:17 PM, Michael Niedermayer <mich...@niedermayer.cc> wrote: > + <script src="https://widget.battleforthenet.com/widget.js"; > async></script>
Please use https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity . That way this third-party entity will only get loaded if the content matches a known checksum. Even better, host it locally. (I have not checked if ffmpeg.org loads other sub-resources, but they should get a similar treatment in general) Personally, looking at the last year's fiasco of it not remembering that you had already closed it, as well as showing up after the "event" I am against this. But if someone thinks this is absolutely necessary, we should at least take minimal steps to keep sub-resource contamination at bay. Best regards, Jan _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
