Strict Standards: Static function gapiAuthMethod::getMethodName() should not be abstract in /home/zajec/domains/zajec.net/public_html/include/gapi.class.php on line 598

Strict Standards: Static function gapiAuthMethod::getTokenName() should not be abstract in /home/zajec/domains/zajec.net/public_html/include/gapi.class.php on line 605

Warning: Cannot modify header information - headers already sent by (output started at /home/zajec/domains/zajec.net/public_html/include/gapi.class.php:598) in /home/zajec/domains/zajec.net/public_html/modules/TextFiles/controller.php on line 13
flash cross site security bug

Too strict cross-site security for flash embeds

Description

Try to close flash popup with mouse. With Opera 9 this is not possible. Works in Opera 8. Problem first appeared in Opera 9 build 8238 (windows)

Index file is located at: http://zajec.net/bug/flash_xss/
Script used by flash: http://my.opera.com/d.i.z./homes/bugs/onFinishedPlaying.js
Flash file located at: http://my.opera.com/d.i.z./homes/bugs/flashPopup.swf

As both flash file and js file are on the same server, Opera should allow flash to access this script file. It appears that Opera 9 thinks that it's a XSS issue and prevents access to functions defined in script. If everything is on the same page (html, js, flash) it works in all Opera versions - can be verified here: Local Files.

UPDATE: Fixed in Windows 9.00.8518 build.

UPDATE2: Since when Flash 9 started working in Opera for linux, there is similar bug in there. Seems a bit different though because "Local version" does not work too.

Testcase


This red background should also disappear.
diz courtesy of zajec.net