Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#11469 closed defect (fixed)

Flash security settings differ for IE

Reported by: Eugene Lazutkin Owned by: Mike Wilcox
Priority: high Milestone: 1.6
Component: Dojox Version: 1.5
Keywords: Cc:
Blocked By: Blocking:

Description

dojox\embed\Flash.js contains two different paths to create a Flash object: one is for IE, and the other one for all other browsers. One of logical differences between them is the missing security settings for IE.

This is how "others" are being set up:

var s = '<embed type="application/x-shockwave-flash" '
+ 'src="' + path + '" '
+ 'id="' + kwArgs.id + '" '
+ 'width="' + kwArgs.width + '" '
+ 'height="' + kwArgs.height + '"'
+ ((kwArgs.style)?' style="' + kwArgs.style + '" ':'')
+ 'swLiveConnect="'+kwArgs.swLiveConnect+'" '
+ 'allowScriptAccess="' +kwArgs.allowScriptAccess+  '" '
+ 'allowNetworking="' +kwArgs.allowNetworking+  '" '

+ 'pluginspage="' + window.location.protocol + '//www.adobe.com/go/getflashplayer" ';

This is how IE is set up:

var s = '<object id="' + kwArgs.id + '" '
+ 'classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" '
+ 'width="' + kwArgs.width + '" '
+ 'height="' + kwArgs.height + '"'
+ ((kwArgs.style)?' style="' + kwArgs.style + '"':'')
+ '>'
+ '<param name="movie" value="' + path + '" />';

Note that swLiveConnect, allowScriptAccess, and allowNetworking are missing in IE. It prevents SWF files working on IE in some cases (depending on many factors including the version of Flash used).

One way to fix it is to add missing parameters like this:

var s = '<object id="' + kwArgs.id + '" '
+ 'classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" '
+ 'width="' + kwArgs.width + '" '
+ 'height="' + kwArgs.height + '"'
+ ((kwArgs.style)?' style="' + kwArgs.style + '"':'')
+ '>'
+ '<param name="movie" value="' + path + '" />'
+ '<param name="swLiveConnect" value="'+kwArgs.swLiveConnect+'" />'
+ '<param name="allowScriptAccess" value="' +kwArgs.allowScriptAccess+  '" />'
+ '<param name="allowNetworking" value="' +kwArgs.allowNetworking+  '" />';

Change History (5)

comment:1 Changed 9 years ago by Mike Wilcox

Resolution: invalid
Status: newclosed

Look at the next line, #65, after what you copied and pasted:

if(kwArgs.params){

for(p in kwArgs.params){

s += '<param name="' + p + '" value="' + kwArgs.params[p] + '" />';

}

}

That's where the security gets set.

This was broken in FLVideo. After fixing that, Embed Flash looks to be working correctly.

comment:2 in reply to:  1 Changed 9 years ago by Eugene Lazutkin

Resolution: invalid
Status: closedreopened

Replying to mwilcox:

That's where the security gets set.

I understand perfectly the rush to close all tickets as invalid, but no it is not. ;-)

A simple example: in my snippet (largely copied from non-IE branch) this value is being generated:

'<param name="allowNetworking" value="' +kwArgs.allowNetworking+  '" />'

In the next loop (cited by you) these values are being created:

'<param name="' + p + '" value="' + kwArgs.params[p] + '" />';

Could you see the difference? Let me make it more obvious:

kwArgs.allowNetworking
kwArgs.params.something

If you want to move all security settings to params you need to fix non-IE branch, which uses kwArgs.allowNetworking directly, and in general decide how you specify security defaults, e.g., inside or outside of params --- right now they are all outside right in the root of kwArgs.

comment:3 Changed 9 years ago by Mike Wilcox

Ok, I see now. Actually it's the non-IE side that's incorrect. All the specific security settings are being set when it loops through args.params. This was apparently being double-set, but corrected by the browser.

comment:4 Changed 9 years ago by Mike Wilcox

Resolution: fixed
Status: reopenedclosed

(In [22533]) Fixed #11469 - fixed double setting of params in non-ie embed code

comment:5 Changed 9 years ago by bill

Milestone: tbd1.6
Note: See TracTickets for help on using tickets.