This bug might be more for the Sites team, but there's definitely a WebKit error being thrown that seems a bit suspect so I figured I'd start here.
I work for Animoto.com, a video generation service, which publishes a lot of video to the web via a Flash video player. We include a URL in our flashvars for our Pro users to be able to provide a linkback to their websites. While Chrome loads our player just fine with standard embeds, when embedded via a Gadget embed in Sites WebKit is choking on:
"Refused to load an object. URL found within request"
Perhaps via XSSAuditor::canLoadObject().
Example -- if you hit this link soon you may see the problem, although the user will probably try to fix it:
(For comparison, a non-gadgets embed with URL in Flashvars that loads fine: http://www.davidmartschinske.com/)
I'm sure there are valid security reasons for calling XSSAuditor::canLoadObject to try and weed out risky content. However, passing a url into a swf's flashvars does not constitute a security risk in and of itself, as evidenced by Animoto's vanilla use case. Perhaps there's some way WebKit and the Sites team can improve this filtering a little, so that low-threat use cases aren't unnecessarily blocked.
Thanks for you time -- If this needs to be passed to the Sites team please let me know if there's a way to bypass their forum as an entry point.
(OK to contact me offlist regarding this specific issue)
Created attachment 50164 [details]
Web archive of page
For preservation of page.
Created attachment 50165 [details]
HTML source for page
For preservation and convenience, just the HTML source for the page.
For completeness, the error message is:
Refused to load an object. URL found within request: "http://static.animoto.com/swf/w.swf?w=swf/vp1&e=1267732564&f=kbTH10UL1werpQ1xttXQow&d=206&m=a&r=w+s&i=m&ct=1st%20Nepean%20Scouts&cu=http://sites.google.com/site/1stnepeanscouts/parents&options=autostart/start_hq".
I am not too familiar with Google Gadgets or its workings. Adam may have more insight into this.
(In reply to comment #3)
> calls document.innerHTML with the contents of the anchor #up_embed_snippet.
I meant to say that it sets the innerHTML of the element whose id is "dest" to the contents of the anchor #up_embed_snippet.
I think googleusercontent.com is meant to be a "throw away" domain that hosts untrusted content. From your description it sounds like the gadget itself has an XSS vulnerability. The gadget author should probably either fix their security vulnerability or opt out of XSS protection by sending the X-XSS-Protection: 0 header. (Note that this control header is still under review at <https://bugs.webkit.org/show_bug.cgi?id=34436>.)
This should be resolved by Bug 230499.
*** This bug has been marked as a duplicate of bug 230499 ***