Page 1 of 1
flash object activated on one domain is not blocked on other
Posted: Thu Dec 23, 2010 7:52 pm
by al_9x
AFAIU it should block even different instances on the same site.
Activate the player here:
http://flash-mp3-player.net/players/normal/ then load this locally:
Code: Select all
<object type="application/x-shockwave-flash" data="http://flash-mp3-player.net/medias/player_mp3.swf" width="200" height="20">
<param name="FlashVars" value="mp3=http://users.skynet.be/fa046054/home/P22/track06.mp3">
</object>
Re: flash object activated on one domain is not blocked on o
Posted: Thu Dec 23, 2010 11:08 pm
by Giorgio Maone
The embedding page is not a key for the temporary whitelist: only the URL and possibly parameters are used.
Therefore yes, if you allow an instance on a certain site, it's allowed everywhere.
However including the parent domain (or even the page itself) in the key is probably a good idea.
Re: flash object activated on one domain is not blocked on o
Posted: Fri Dec 24, 2010 4:21 am
by al_9x
- from the security perspective this seems ok at first glance, since the swf is already loaded, however, a rogue site may be able trigger an exploit via various parameters and/or content (in case of players), so just because you loaded a given player at site A does not mean that a potentially rogue site B should be able to.
- beyond security, plugin blocking is also a usability and performance feature, so at least optionally, it should be possible to prevent the spreading of allows to other domains and even other instances in the same domain.
Re: flash object activated on one domain is not blocked on o
Posted: Mon Dec 27, 2010 4:56 pm
by Giorgio Maone
Re: flash object activated on one domain is not blocked on o
Posted: Tue Dec 28, 2010 8:10 pm
by al_9x
- When you activate the player, shouldn't the icon change to
, instead of 
? This issue is not new to 2.0.9
- in 2.0.9.1 revoking temp perms does not reload the page, did in 2.0.8.1
- the blocked object menu is not very clear, perhaps it can be more verbose:
Re: flash object activated on one domain is not blocked on o
Posted: Wed Jan 19, 2011 12:47 am
by Giorgio Maone
al_9x wrote:
[*] When you activate the
player, shouldn't the icon change to
, instead of
? This issue is not new to 2.0.9
So far we used
to notify about
documents whose whitelist status is "allowed", and could therefore execute JavaScript. The player is not a document.
al_9x wrote:
[*] in 2.0.9.1 revoking temp perms does not reload the page, did in 2.0.8.1
Checking, thanks.
al_9x wrote:
[*] the blocked object menu is not very clear, perhaps it can be more verbose:
I'll give it a shot as soon as Babelzilla is back working correctly (I uploaded 2.0.9.6xyz for translation yesterday).
Re: flash object activated on one domain is not blocked on o
Posted: Wed Jan 19, 2011 1:51 am
by al_9x
Giorgio Maone wrote:So far we used
to notify about
documents whose whitelist status is "allowed", and could therefore execute JavaScript. The player is not a document.
I was going by the
features page:
- this means the top level site is still forbidden but some active subcontent pieces (
either frames or plugin objects) are allowed
That makes perfect sense, native plugins, especially those running script, are more "active" than JS, so an "all blocked" icon is misleading. Perhaps you think it needs a different icon? But it should be something other than "all blocked."
Re: flash object activated on one domain is not blocked on o
Posted: Wed Jan 19, 2011 7:42 am
by Giorgio Maone
al_9x wrote:
- this means the top level site is still forbidden but some active subcontent pieces (
either frames or plugin objects) are allowed
That makes perfect sense, native plugins, especially those running script, are more "active" than JS, so an "all blocked" icon is misleading.
Gotcha. OK, I'll see what it takes to live to the "specs"
