Make WordPress Core

Opened 12 years ago

Closed 9 years ago

#20148 closed enhancement (worksforme)

Preview post in Webkit browser doesn't render Flash objects

Reported by: thomasvanderbeek's profile thomasvanderbeek Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.1
Component: General Keywords:
Focuses: Cc:


When inserting a Flash <object> via HTML and use Preview function in Chrome it doesn't show.

  • Tested on a clean WordPress 3.3.1 install, no plugins activated, theme: twentyeleven.
  • The <object> code is available in the sourcecode. It just doesn't render... When you hit refresh it shows.
  • Tried this on multiple work stations (Windows and Mac os). All versions of Chrome.
  • Only in Chrome. Firefox has no issues with this function.
  • There is no difference between Multisite or Single site installations.
  • I'm Administrator (or Network administrator) in all cases.

Issue is also on WordPress support forums:

Change History (18)

#1 @CoenJacobs
12 years ago

  • Cc coenjacobs@… added

Tried this in a blank WordPress install too, problem occurs in Chrome only. Is there something that conflicts with the Webkit engine? Funniest part is that after a refresh it does show the embed. The source code of the page is the exact same in both cases; before and after the refresh.

#2 @thomasvanderbeek
12 years ago

  • Summary changed from Preview post in Chrome (Mac OS) doesn't render Flash objects to Preview post in Chrome doesn't render Flash objects

#3 @ocean90
12 years ago

Could you please provide some <object> code?

#4 @CoenJacobs
12 years ago

I've used an old embed code from a (not so random :) ) YouTube video:

<object width="420" height="315"><param name="movie" value=";hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src=";hl=en_US" type="application/x-shockwave-flash" width="420" height="315" allowscriptaccess="always" allowfullscreen="true"></embed></object>

#5 @ocean90
12 years ago


The log gives me: Refused to execute a JavaScript script. Source code of script found within request.

#6 @ocean90
12 years ago

  • Keywords dev-feedback removed
  • Summary changed from Preview post in Chrome doesn't render Flash objects to Preview post in Webkit browser doesn't render Flash objects

#7 @CoenJacobs
12 years ago

  • Type changed from defect (bug) to enhancement

Was afraid we would stumble on something like this.

With Webkit doing this, isn't it likely any other browser engine will also start refusing scripts in HTTP requests? I think it is a valid feature request to think of another way to make the preview work.

#8 @johnbillion
12 years ago

  • Cc johnbillion added

#9 @johnbillion
12 years ago

Is there even a way around this? The embed code has to be present in the POST request and it has to be returned in the response for the preview. I wouldn't be surprised if the same code present in the response to a redirect after the POST also gets blocked, but I haven't tried it.

#10 @johnbillion
12 years ago

Ok there's an X-XSS-Protection header available for controlling the protection (if you can call it that). Protection will be disabled with a value of 0 in the header. Maybe we could output that header in post previews.

#11 @ocean90
12 years ago

johnbillion, I've just tried this.

In wp-admin/includes/post.php

case 'preview':
	check_admin_referer( 'autosave', 'autosavenonce' );

	$url = post_preview();

	header( "X-XSS-Protection: 0", true );

Header will be sent, but message is still there.

#12 @johnbillion
12 years ago

I expect the header needs to be included on the preview page itself, not on the response with the redirect.

#13 @ocean90
12 years ago

Yeah, you are right, this works for me:

function send_no_xss_protection_header( $headers, $object ) {
	if ( ! empty( $object->query_vars['preview'] ) )
		$headers['X-XSS-Protection'] = 0;

	return $headers;
add_filter( 'wp_headers', 'send_no_xss_protection_header', 10, 2 );
Last edited 12 years ago by ocean90 (previous) (diff)

#14 @vegasgeek
12 years ago

  • Cc john@… added

As a side note, I clicked preview in Chrome and the embed didn't show up. But, hitting refresh on the browser for the preview page caused the embed to show up.

#15 @ocean90
11 years ago

Duplicate: #21047

#16 @toscho
11 years ago

  • Cc info@… added

#17 @ocean90
11 years ago

#23437 was marked as a duplicate.

#18 @chriscct7
9 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

The sample object provided in comment:4 works in Chrome 42.0.2311.135. Looks like Chrome fixed this at some point. Closing as worksforme

Note: See TracTickets for help on using tickets.