Vimeo, iframes and the future of web video

Reading Time: 2 minutes

I was looking at this film below on Vimeo and noticed a new element in the embed code to use it, prior to the video code itself:

<!– This version of the embed code is no longer supported. Learn more: –> <object width=”500″ height=”281″><param name=”allowfullscreen” value=”true” /><param name=”allowscriptaccess” value=”always” /><param name=”movie” value=”;force_embed=1&amp;;show_title=1&amp;show_byline=1&amp;show_portrait=1&amp;color=00adef&amp;fullscreen=1&amp;autoplay=0&amp;loop=0″ /><embed src=”;force_embed=1&amp;;show_title=1&amp;show_byline=1&amp;show_portrait=1&amp;color=00adef&amp;fullscreen=1&amp;autoplay=0&amp;loop=0″ type=”application/x-shockwave-flash” allowfullscreen=”true” allowscriptaccess=”always” width=”500″ height=”281″></embed></object>

(I have emphasised the notation in bold for ease of reading).

The Vimeo FAQ section quoted in the note isn’t that expansive in its discussion about this lack of support. It just says that the ‘new embed code’ using iframes is the one to use for WordPress.

By default iframes are disabled in WordPress because they present security risks for the page viewer. This is due to the way that an iframe operates.

At the risk of oversimplifying what an iframe is, imagine that you are reading a newspaper in public and you are around the middle of the paper holding the paper up whilst you do it. Now imagine that a hole is neatly cut in the front page of the paper so that a story from page three shows through and looks as if it is part of the front page to the idle passer by. An iframe does a similar thing allowing you to ‘see ‘through’ a section of one page to see content from another site.

An iframe could be used to pass off malevolent element of one page in another site that is trusted, or mix HTTP and HTTPS elements within a web page. All of this makes it harder for a user to know what site they are actually dealing with and can mask processes that put their computer and network at risk.

Because of this using an iframe on WordPress requires a proactive decision to use an iframe plug-in. And unlike an embed code, these are harder for the neophyte blogger to use:

  • The code that you have to use is different to what Vimeo gives you (you need to extract these elements yourself
  • There is a a number of unresolved issues around setting the height of an the content within an iframe
  • Core functionality like the ability to scroll is turned off by default
  • Part of the reason why the iframe seems to be a reverse in the overall pattern to democratise content sharing is that the iframe is actually an old standard dating back to 1997

The reason why Vimeo has decided to go down this route is because it can make the video content responsive to the device that is likely to play it, emphasising the increasing importance of devices like the iPad for content consumption.  One of the main barriers to universal adoption that Vimeo (and other content platforms) face is that the use of iframes need to be made easier for the average content creator.

More information
IFrames security issues – The Spanner
Vimeo FAQs