13 February 2008

Don't get paranoid Mr. Frodo (!)

Sure, Flash widgets are cool, they make our blogs look inviting and special, but this doesn't mean they are 100% safe. There is an issue with Flash Player 9 update 3 (v9.0.115.0) and later when executing getURL or navigateToUrl. What is happening is that movie doesn't work if SWF is hosted in a different domain.

This can be easily solved if target name is set to "_blank" and this solution is safe and simple. However there is another solution that can be dangerous. That solution is to set HTML parameter AllowScriptAccess to "always". Side effect of this solution is allowing JavaScript to be executed through SWF file. If you are author of flash movie, no problem, but if you can't trust the widget's author, O-o!

Here is one example. Widespread Vizu web polls flash widget have allowScriptAcces set to "always". You can actually check this by yourself. Open your page source from your browser and search for keyword embed. Than check if allowScriptAcces parameter is present and what is its value. If it's "always", widget can be dangerous. Now, don't get paranoid (android), not all people are bad (Mr. Frodo).

More info about this issue, read this TechNote.




template by blogger templates