InformAction Forums

See a sample video from break.com
http://www.break.com/index/tree-cutting ... nt-1972188

"Embeddings" TAB in OPTIONS:
My options for NoScript (v2.0.8.1) have all "Embeddings" objects
checked including "Forbid Adobe FLASH".
Additionally, "Apply restrictions to whitelisted sites too" is checked.
As is "Block every object coming from a site marked as untrusted".
"Show Placeholder Icon" also checked.

Under all sites and situations these settings
have managed to block (with placeholders)
all flash objects and videos to date that I have encountered.

Until now.

The videos on this site (which previously used
to also be blocked by the same settings) are now
running as soon as the site loads. I cannot understand
how the flash videos are running or bypassing
NoScript. There is no blocking of the flash object
and no placeholder appears.

Can anybody offer comments?

The Flash movies gets actually blocked.
However, once you allow one by clicking its placeholder, all the others get allowed as well because they all share the same URL ( http://media1.break.com/static/app/v1/g ... ayer10.swf ).

NoScript has actually code to discriminate the different instances, based on the parameters, and it works very well on Youtube but for some reason it does not suffice on break.com.

I'm investigating, but there's no security issue here because you need to actually allow the player on the site (albeit once) before it runs.

Thank you for investigating.

While I *confirm* that it appears you do have to click
the first video before any of them run, it is concerning that
all subsequent visits to any page at break.com with
a video will then run automatically.

It was my understanding that this should not occur
and it would appear a security risk. Objects on new
pages should be blocked regardless (with the settings
I indicated) regardless of whether I allowed one on a
different page with different content. No?

If a user allowed flash from some site
whereby future occurrances of that same link
would run automatically on other pages
then the very nature of noscript would
seem to be being bypassed. Is this not
a security opening?

If there is a setting to correct the current behavior
at Break.com, please let me know what it is.

If there is a coding change instead, please consider
implementing in a future version.

Let me clarify my concern a bit.

It was simply my understanding that the
settings as described for NoScript would block
and any all objects (including flash) that occur
on newly opened pages - *regardless* of what
I had done on any other page in my life.

Even if I allowed an flash object on a page and then
reloaded it, I was expecting that all objects including
that previously allowed flash would be blocked with
a placeholder upon reloading the page.

This is the first time in many years of using either NoScript
and/or Flashblock where allowing a flash object on a
page then allowed it on new/independent pages (or reloads).

I understand that you do have to click it once, but it would
seem that a security hole could be created out of this situation
through a bit of thinking and a properly set up site.
Maybe not. But the history of the internet is that if there is
an angle no matter how small somebody will find a way into it.

It would be re-assuring to me if those Flash video objects didn't
all run after I clicked the first one. The *are* on different pages
and they *are* different content.

Sorry for all the typos.

Please check latest development build.