enforcing a stricter Flash security policy
Sunday, 16. September 2007, 23:12:54
Since Opera 9.5 'Kestrel' is in beta, it contains some experimental stuff. "Beta" means "things will be broken", and here's a case where it means "we've broken this on purpose": 9.5 contains a hack to make Flash content default to a more secure security policy.
Flash can communicate with JavaScript in a page. Since you may not trust some random Flash content in your site (think external ads or embedded media players) Macromedia (back when it was still known as Macromedia) came up with the allowScriptAccess attribute. When you embed an external Flash you should specify allowScriptAccess=samedomain as an embed attribute or PARAM to make sure the Flash isn't allowed to talk to JavaScript in the page.
The problem was that when Macromedia invented the allowScriptAccess attribute, there was already quite some Flash content out there, and most likely a lot of it relied on the non-enforcement of cross-domain security policies. They decided to make the Flash player default to always allowing script communication. Defaulting to the least secure option is bad, but they probably felt they had no choice if the alternative meant temporarily breaking thousands and thousands of Flash sites.
With 9.5 previews, if you forgot to add allowScriptAccess=samedomain, Opera will add it for you when invoking Flash. This will break sites, we're well aware of that, and we're already seeing some really high profile casualties. The point of enabling this hack was seeing how many broken sites we could find, to evaluate whether we should remove the hack again or keep it for Kestrel final..
A typical symptom is un-closeable Flash overlay ads, so please look out for those and report anything you come across! It's not unlikely that we will have to revert this feature, but meanwhile we'll keep breaking the web - one Flash site at a time.
Flash can communicate with JavaScript in a page. Since you may not trust some random Flash content in your site (think external ads or embedded media players) Macromedia (back when it was still known as Macromedia) came up with the allowScriptAccess attribute. When you embed an external Flash you should specify allowScriptAccess=samedomain as an embed attribute or PARAM to make sure the Flash isn't allowed to talk to JavaScript in the page.
The problem was that when Macromedia invented the allowScriptAccess attribute, there was already quite some Flash content out there, and most likely a lot of it relied on the non-enforcement of cross-domain security policies. They decided to make the Flash player default to always allowing script communication. Defaulting to the least secure option is bad, but they probably felt they had no choice if the alternative meant temporarily breaking thousands and thousands of Flash sites.
With 9.5 previews, if you forgot to add allowScriptAccess=samedomain, Opera will add it for you when invoking Flash. This will break sites, we're well aware of that, and we're already seeing some really high profile casualties. The point of enabling this hack was seeing how many broken sites we could find, to evaluate whether we should remove the hack again or keep it for Kestrel final..
A typical symptom is un-closeable Flash overlay ads, so please look out for those and report anything you come across! It's not unlikely that we will have to revert this feature, but meanwhile we'll keep breaking the web - one Flash site at a time.
