QuickTime 7.1.5 Security Enhancements

Q:  I'd like to learn more about the security enhancements and other changes contained in the QuickTime 7.1.5 Update. Please help.

A: QuickTime 7.1.5 delivers numerous bug fixes and addresses critical security issues. Here's a brief overview of the security enhancements contained in this release:

The QuickTime 7.1.5 Update places the following new restrictions on all URLs passed to the QuickTime plug-in:

- URLs cannot cross local/remote zone boundaries

Here's how it works:

Prior to asking the user's web browser to access a URL, the QuickTime plug-in compares the requested URL with the "src" URL (the URL for the movie as specified in HTML) and does the following:

• If the "src" movie is http:, https:, data:, rtsp:, or if there is no "src" attribute at all, it allows only http: and https: URLs.

• If the "src" movie is "file:" it allows only file: URLs.

In other words, a local movie can invoke only local URLs, such as another local movie, and remote movies can invoke only remote URLs, such as another remote movie or a web page. Furthermore, remote URLs are restricted to the http:// and https:// protocols. Other protocols, such as javascript://, are prohibited.

Movies played by the QuickTime plug-in in QuickTime 7.1.5 or later will not issue URLs that violate these restrictions, regardless of when the movies were authored.

For additional information about these security enhancements, please see the following documents:

• HTML Scripting Guide for QuickTime

• QuickTime and JavaScript

• About the security content of QuickTime 7.1.5

QuickTime 7.1.5 also introduces the Apple TV Export Component supporting export specifically for Apple TV. See Technical Note TN2188: Exporting Movies for iPod and Apple TV for all the details.

Document Revision History