[Webkit-unassigned] [Bug 35802] New: Gadget embed blocked due to URL in content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 5 11:57:01 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=35802
Summary: Gadget embed blocked due to URL in content
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: mosesoak at yahoo.com
This bug might be more for the Sites team, but there's definitely a WebKit
error being thrown that seems a bit suspect so I figured I'd start here.
I work for Animoto.com, a video generation service, which publishes a lot of
video to the web via a Flash video player. We include a URL in our flashvars
for our Pro users to be able to provide a linkback to their websites. While
Chrome loads our player just fine with standard embeds, when embedded via a
Gadget embed in Sites WebKit is choking on:
"Refused to load an object. URL found within request"
Perhaps via XSSAuditor::canLoadObject().
Example -- if you hit this link soon you may see the problem, although the user
will probably try to fix it:
http://sites.google.com/a/1stnepean.ca/scout-troop/photos/2009-year-in-review.
(For comparison, a non-gadgets embed with URL in Flashvars that loads fine:
http://www.davidmartschinske.com/)
I'm sure there are valid security reasons for calling XSSAuditor::canLoadObject
to try and weed out risky content. However, passing a url into a swf's
flashvars does not constitute a security risk in and of itself, as evidenced by
Animoto's vanilla use case. Perhaps there's some way WebKit and the Sites team
can improve this filtering a little, so that low-threat use cases aren't
unnecessarily blocked.
Thanks for you time -- If this needs to be passed to the Sites team please let
me know if there's a way to bypass their forum as an entry point.
(OK to contact me offlist regarding this specific issue)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list