April 1st, 2008

archimedes

Embedding Adobe Flash applets.

Isn't there a potential security/privacy/nuisance issue with allowing people to embed arbitrary Flash applets from any website?

I'm not that familiar with Flash's capabilities in terms of reading from or manipulating the web browser, but I know a few other things that can be done.

At the very least, people can use Flash cookies to track users even if their IP address changes. I'm sure that people wouldn't appreciate this.

And of course, it can be made to be a huge nuisance by vastly slowing down a computer and potentially crashing the web browser. Of course, it can also display arbitrary video and play arbitrary audio.

The solution to this, which I previously mistakenly thought was already implemented, is to only allow flash from certain trusted sites, such as YouTube. Since 99% of embedded Flash on LiveJournal is from a relatively small list of websites, this shouldn't be hard to maintain, especially with a submission form to add new websites.