enforcing a stricter Flash security policy

Since Opera 9.5 'Kestrel' is in beta, it contains some experimental stuff. "Beta" means "things will be broken", and here's a case where it means "we've broken this on purpose": 9.5 contains a hack to make Flash content default to a more secure security policy.

Flash can communicate with JavaScript in a page. Since you may not trust some random Flash content in your site (think external ads or embedded media players) Macromedia (back when it was still known as Macromedia) came up with the allowScriptAccess attribute. When you embed an external Flash you should specify allowScriptAccess=samedomain as an embed attribute or PARAM to make sure the Flash isn't allowed to talk to JavaScript in the page.

The problem was that when Macromedia invented the allowScriptAccess attribute, there was already quite some Flash content out there, and most likely a lot of it relied on the non-enforcement of cross-domain security policies. They decided to make the Flash player default to always allowing script communication. Defaulting to the least secure option is bad, but they probably felt they had no choice if the alternative meant temporarily breaking thousands and thousands of Flash sites.

With 9.5 previews, if you forgot to add allowScriptAccess=samedomain, Opera will add it for you when invoking Flash. This will break sites, we're well aware of that, and we're already seeing some really high profile casualties. The point of enabling this hack was seeing how many broken sites we could find, to evaluate whether we should remove the hack again or keep it for Kestrel final..

A typical symptom is un-closeable Flash overlay ads, so please look out for those and report anything you come across! It's not unlikely that we will have to revert this feature, but meanwhile we'll keep breaking the web – one Flash site at a time.

Advertisements

13 thoughts on “enforcing a stricter Flash security policy

  1. UFO 3.21 works fine here for me: http://www.gamersyde.com/stream_4521_en.htmlThe only difference between this and newer version is one added property for opt object so this should make no difference.The only problem I see is that "Click to activate this object" is triggered for all flash objects. Even those added by UFO for example.BTW: hallvors status: "Playing with soon usable JS debugger prototype :)"Hate you.

  2. Originally posted by d.i.z.:

    BTW: hallvors status: "Playing with soon usable JS debugger prototype "Hate you.

    Noticed that too. And what i'm really interested in is what does that 'soon usable' mean exactly: does it mean we'll soon be able to use it?

  3. we'll keep breaking the web – one Flash site at a time

    That's cool! I hate Flash ADs and most of Flash sites. Just don't break Flash video sites and I would be completely Ok. 🙂

  4. Originally posted by d.i.z.:

    The only problem I see is that "Click to activate this object" is triggered for all flash objects. Even those added by UFO for example.

    Same "problem" with UFO 3.22.

  5. Some sites I've found:www.smog.pl
    www.pudelek.pl
    Floating ads should come up if you browse a bit.These ads are served from o2.pl. This is quite big portal in Poland that made one of the most popular IM programs in here (Tlen). I expect to have ads from this company in a lot of pages.And so the story repeats: http://zajec.net/bug/flash_xss .IMO, if you really need this security measure, you should wait till one of the more popular browsers implement it. Or else, there will be more problems for Opera.

  6. Poland is important. Thanks for posting about the problems.Regarding your flash_xss test case:

    As both flash file and js file are on the same server, Opera should allow flash to access this script file.

    – the JS security model doesn't work like that. An external JS file included in a page has complete access to the page, so we could not give the external flash access to the script from the same server without basically giving it 100% access.I think we'll revert this security hack for HTTP pages but keep it for HTTPS. It might still break some sites but I think this issue is important.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s