Gigya is widget advertising network. Their server takes a query parameter src=http://apps.cooliris.com/embed/cooliris.swf... and replies with <embed src="http://apps.cooliris.com/embed/cooliris.swf" ... XSSAuditor blocks this. Gigya appears to be using some sort of hash to validate the query parameters so this is probably a false positive. I'm not sure how to fix it in WebKit other than allowing direct injections into the src attribute of an embed tag. Another option is to respect X-XSS-Protection (bug 27312) and then Gigya can opt out of XSSAuditor. We could also ask Gigya to obfuscate their query parameters to sneak pass XSSAuditor.
I bet this is fixed now. Can we re-test?
Verified fixed in the latest WebKit nightly (r52686). Test URL: http://mturner.wordpress.com/2009/12/08/cooliris-express-bringing-the-wall-to-your-website/ I believe Adam fixed this in r52532. There is a regression test so we should be all set.