[Webkit-unassigned] [Bug 35802] New: Gadget embed blocked due to URL in content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 5 11:57:01 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=35802

           Summary: Gadget embed blocked due to URL in content
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mosesoak at yahoo.com


This bug might be more for the Sites team, but there's definitely a WebKit
error being thrown that seems a bit suspect so I figured I'd start here.

I work for Animoto.com, a video generation service, which publishes a lot of
video to the web via a Flash video player. We include a URL in our flashvars
for our Pro users to be able to provide a linkback to their websites. While
Chrome loads our player just fine with standard embeds, when embedded via a
Gadget embed in Sites WebKit is choking on:

  "Refused to load an object. URL found within request"

Perhaps via XSSAuditor::canLoadObject().

Example -- if you hit this link soon you may see the problem, although the user
will probably try to fix it: 
http://sites.google.com/a/1stnepean.ca/scout-troop/photos/2009-year-in-review.

(For comparison, a non-gadgets embed with URL in Flashvars that loads fine:
http://www.davidmartschinske.com/)

I'm sure there are valid security reasons for calling XSSAuditor::canLoadObject
to try and weed out risky content. However, passing a url into a swf's
flashvars does not constitute a security risk in and of itself, as evidenced by
Animoto's vanilla use case. Perhaps there's some way WebKit and the Sites team
can improve this filtering a little, so that low-threat use cases aren't
unnecessarily blocked.

Thanks for you time -- If this needs to be passed to the Sites team please let
me know if there's a way to bypass their forum as an entry point. 

(OK to contact me offlist regarding this specific issue)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list