While pondering different possible solutions, I thought of two things:
- First: why doesn't Google Reader just put HTML extracted from clients in an IFRAME from a custom / randomly generated subdomain (ie. qwefwer.googlereader.com)? The IFRAME could have no border and the appropriate width-height (and the correct overflow style), making it indistinguishable from a plain page. The idea being that the same origin policy would prevent malicious JS fiddling with elements it shouldn't. However this was probably harder and possibly less secure than going with the whitelisting.
Unfortunately (fortunately?) this is not the case. They seem to employ a whitelisting solution, removing any embed/object tags which specify a source that is not on the whitelist. As far as I can tell the whitelist is not public, but it includes at least some online video services. BTW, if you wish to the Google Reader traffic in Fiddler, don't forget that responses are GZIP compressed, which Fiddler doesn't decompress automatically :(
Where does this leave us?
I don't know what kind of filtering is applied to other objects (Java Applets, Silverlight, etc), but from what I've seen I assume that they would be filtered out.
It would be very nice if they would adopt the IFRAME approach, because that would mean both more security and the possibility for them to enable full JS / object support.