flash object activated on one domain is not blocked on other

[al_9x]

AFAIU it should block even different instances on the same site.

Activate the player here: http://flash-mp3-player.net/players/normal/ then load this locally:

Code: Select all

<object type="application/x-shockwave-flash" data="http://flash-mp3-player.net/medias/player_mp3.swf" width="200" height="20">
<param name="FlashVars" value="mp3=http://users.skynet.be/fa046054/home/P22/track06.mp3">
</object>

[Giorgio Maone]

The embedding page is not a key for the temporary whitelist: only the URL and possibly parameters are used.
Therefore yes, if you allow an instance on a certain site, it's allowed everywhere.
However including the parent domain (or even the page itself) in the key is probably a good idea.

[al_9x]

1. from the security perspective this seems ok at first glance, since the swf is already loaded, however, a rogue site may be able trigger an exploit via various parameters and/or content (in case of players), so just because you loaded a given player at site A does not mean that a potentially rogue site B should be able to.
2. beyond security, plugin blocking is also a usability and performance feature, so at least optionally, it should be possible to prevent the spreading of allows to other domains and even other instances in the same domain.

[Giorgio Maone]

Please check latest development build.

[al_9x]

Please check latest development build.

1. When you activate the player, shouldn't the icon change to , instead of ? This issue is not new to 2.0.9
2. in 2.0.9.1 revoking temp perms does not reload the page, did in 2.0.8.1
3. the blocked object menu is not very clear, perhaps it can be more verbose:

   temporarily allow shockwave/flash from http://host1 (embedded) on|in http://host2

[Giorgio Maone]

[*] When you activate the player, shouldn't the icon change to , instead of ? This issue is not new to 2.0.9

So far we used to notify about documents whose whitelist status is "allowed", and could therefore execute JavaScript. The player is not a document.

[*] in 2.0.9.1 revoking temp perms does not reload the page, did in 2.0.8.1

Checking, thanks.

[*] the blocked object menu is not very clear, perhaps it can be more verbose:

temporarily allow shockwave/flash from http://host1 (embedded) on|in http://host2

I'll give it a shot as soon as Babelzilla is back working correctly (I uploaded 2.0.9.6xyz for translation yesterday).

[al_9x]

So far we used to notify about documents whose whitelist status is "allowed", and could therefore execute JavaScript. The player is not a document.

I was going by the features page:

- this means the top level site is still forbidden but some active subcontent pieces (either frames or plugin objects) are allowed

That makes perfect sense, native plugins, especially those running script, are more "active" than JS, so an "all blocked" icon is misleading. Perhaps you think it needs a different icon? But it should be something other than "all blocked."

[Giorgio Maone]

- this means the top level site is still forbidden but some active subcontent pieces (either frames or plugin objects) are allowed

That makes perfect sense, native plugins, especially those running script, are more "active" than JS, so an "all blocked" icon is misleading.

Gotcha. OK, I'll see what it takes to live to the "specs"