deanagit / swfobject

Automatically exported from code.google.com/p/swfobject
0 stars 0 forks source link

Make testPlayerVersion optional #462

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Some users are sensitive about flash being loaded without their consent.
For security-sensitive sites it would be nice to be able to bypass the call
to testPlayerVersion() and thereby avoid loading a flash movie surreptiously.

Original issue reported on code.google.com by ctemp...@gmail.com on 26 Apr 2010 at 1:24

GoogleCodeExporter commented 9 years ago
This is, of course, not a defect but an enhancement request. Thanks

Original comment by ctemp...@gmail.com on 26 Apr 2010 at 1:25

GoogleCodeExporter commented 9 years ago
So don't call the swfobject functions until the user has accepted the use of 
Flash... 
The paage can invoke the required swfobject js methods when and if required

I don't really see how the non-use of SWFObject is a enhancement request :)

Am I missing something? 

Original comment by aran.rhee@gmail.com on 27 Apr 2010 at 8:13

GoogleCodeExporter commented 9 years ago
Thanks for your reply. I'm not talking about loading my movies. I can handle 
that. :)

Rather, testPlayerVersion() creates its own flash object and temporarily adds 
it to
the DOM. This is triggered by the event DOMContentLoaded, which happens too 
early in
the page lifecycle to gather user feedback.

It would be great if this loading of a test flash object could be optionally 
disabled.

Original comment by ctemp...@gmail.com on 27 Apr 2010 at 1:06

GoogleCodeExporter commented 9 years ago
Gotcha.

Two ways of moving forward now a) patch swfobject to your liking, or b) include 
the 
swfobject.js dynamically once you have decided it is "flash time". Something 
like:

function include_dom(script_filename) {
    var html_doc = document.getElementsByTagName('head').item(0);
    var js = document.createElement('script');
    js.setAttribute('language', 'javascript');
    js.setAttribute('type', 'text/javascript');
    js.setAttribute('src', script_filename);
    html_doc.appendChild(js);
    return false;
}

I have remarked the status as 'new', and it will be discussed amongst the team 
members.

Original comment by aran.rhee@gmail.com on 28 Apr 2010 at 12:09

GoogleCodeExporter commented 9 years ago
SWFObject does not need to be modified to provide this support.

*  testPlayerVersion is only invoked as part of the domready sequence used by 
swfobject.embedSWF(). swfobject.createSWF() does not invoke testPlayerVersion.  

* if you don't want to use testPlayerVersion without the visitor's permission, 
write a custom JavaScript function that only invokes embedSWF() or createSWF() 
after the visitor grants permission.

(BTW, testPlayerVersion() does *not* embed an actual SWF file, it creates an 
*empty* <object>, so I don't see how this violates someone's trust or security. 
No SWFs are ever loaded.)

Original comment by platelu...@gmail.com on 7 Nov 2010 at 9:57