[Webkit-unassigned] [Bug 32908] New: "Refused to execute a JavaScript script" error when embedding SWF with a URL that is also a query parameter

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 23 11:15:47 PST 2009 

https://bugs.webkit.org/show_bug.cgi?id=32908

           Summary: "Refused to execute a JavaScript script" error when
                    embedding SWF with a URL that is also a query
                    parameter
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
               URL: http://cdn4.kongregate.com/assets/files/0000/0811/chro
                    me_test.html?param=http://kb2.adobe.com/cps/155/tn_155
                    07/images/flashplayerversion1.swf
        OS/Version: Mac OS X 10.6
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: vinsonb at gmail.com


Created an attachment (id=45443)
 --> (https://bugs.webkit.org/attachment.cgi?id=45443)
Simple file which embeds the Adobe Flash version checker SWF. It fails to embed
if the URL to the SWF is included as a query param

Attempting to embed a SWF using the "embed" tag when the "src" attribute is
also present in the document's URL fails with the error:

Refused to execute a JavaScript script. Source code of script found within
request

This is happening with the latest WebKit nightly, and also in the latest Chrome
beta on both Mac+Windows.


For example, the following URL correctly displays the Adobe's standard Flash
version checker, which is located at
http://kb2.adobe.com/cps/155/tn_15507/images/flashplayerversion1.swf
http://cdn4.kongregate.com/assets/files/0000/0811/chrome_test.html

However, if I add the absolute location of the SWF as the value of a query
parameter, the error message is displayed in the console, and the SWF fails to
embed:
http://cdn4.kongregate.com/assets/files/0000/0811/chrome_test.html?anything=http://kb2.adobe.com/cps/155/tn_15507/images/flashplayerversion1.swf

If I slightly change that query parameter so that the URL is no longer an exact
match (by removing the "f" from "swf"), everything works fine once again:
http://cdn4.kongregate.com/assets/files/0000/0811/chrome_test.html?param=http://kb2.adobe.com/cps/155/tn_15507/images/flashplayerversion1.sw

Another example:
http://www.youtube.com/watch?v=LkCNJRfSZBU - Movie loads properly
http://www.youtube.com/watch?v=LkCNJRfSZBU&breaky=http://s.ytimg.com/yt/swf/watch_as3-vfl138567.swf
- Movie fails to load

This seems to be related to the XSSAuditor, but I have fairly limited knowledge
of how that all works. Please excuse my ignorance if this behavior is intended.
I noticed it because some of the functionality on our site was broken with
Chrome 4, and have found a simple workaround for our purposes, but figured I
should submit a report to you all just in case this is indeed unintended.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list