Friday, July 16, 2010

Firefox and Flash Security Warning Annoyance: Banished

So let’s set the stage.

Using Firefox 3.6.7 on Windows 7 Home Premium, X64 flavor.  Working just fine.

Use NewsFox as my integrated RSS feed reader.  Working just fine.

Starting last weekend, however, I suddenly started getting this annoying Adobe Flash Player Security warning pop-up when tripping over certain RSS feed items.

2010-07-15_222332

Different feed sites. The common factor was that they all contained embedded YouTube videos.  However, other feed articles which also had embedded YouTube content might not display the link.

The annoyance was that sometimes, on some articles that displayed the link, Firefox would freeze.  Sometimes I would have to wait up to two minutes for Firefox to unlock.  Sometimes I would get a Firefox plugin crash alert and other times I would not.

Some sites allowed me to click on the “OK” button and the media would display and we would keep moving.  Clicking on “Settings” didn’t seem to be helping at all.  The dialog window might go away but I never saw that it made a difference.

I checked all my NoScript settings and filters.  I checked all my AdBlock Plus settings and features.  I added a custom “s.ytimg.com/yt/swf/PMS*.swf” filter per a commonly circulating forum tip to AdBlock Plus.  No dice.  See the bottom of this old GSD post for my previous wrestles with Firefox and Flash.

It was getting really aggravating.

Other’s have been sporadically reporting on this general issue (with Flash causing lockups in Firefox) as well with much frustration but no effective solution.

I even uninstalled my newly loaded Adobe CS4 applications, reading somewhere that it was possible that security setting in that suite might impact Flash handling for local/internet zones.   Didn’t help.

I had installed – uninstalled – and reinstalled the Flash plugin for Firefox multiple times.  No fix.

I would not get the error while loading the “full” pages referenced by the RSS feed, only when loading them in the right hand viewing pane in NewsFox.

During all this troubleshooting and web searching, I had been going in and out of the Adobe Flash Player : Settings Manager.  I had been tweaking all the settings, trying to set everything (shudder) to “Always allow” under all the tabs.  Nada on the fix.

I confirmed the s.ytimg.com was present and allowed for security access. Nothing.  Then set it to “Always deny”.  No helpful.

I even did a Process Monitor trace during one such test replication and found lots of calls from the plugin-container.exe as it was handling the Flash elements, but no smoking gun.

After many hours this past week I was really getting burned out on the issue.

So in zombie mode, I spent three more hours banging my head on the keyboard until sometime past midnight when certain grey cells in the melon in my skull aligned.

And I read the stupid error message again.

“ Adobe Flash Player has stopped a potentially unsafe operation.
The following local application on your computer or network:

about:blank

is trying to communicate with this Internet-enabled location:

s.ytimg.com

To let this application communicate with the Internet, click Settings.
You must restart the application after changing your settings.”

Hmmm.  Had Captain Obvious missed anything by focusing on access to s.ytimg.com as the issue?

Although I had confirmed s.ytimg.com was listed in the Flash settings (and all the AdBlock Plus and NoScript filters as well), I didn’t see any mention or presence of about:blank in my Flash security settings.

Wonder what would happen if I manually added it under the Adobe Flash Player Settings Manager - Global Security Settings panel?

2010-07-16_084417


2010-07-16_084612


2010-07-16_084245

I restarted Firefox, just for good measure, and tested it on a known RSS feed article that was guaranteed to trigger the alert.

Guess what?

It worked.  No more Flash Security Alerts alerts when tripping over embedded You Tube videos in my RSS reader within Firefox.

I also found that setting it to “Always Deny” also seems to suppress the Flash Security Warning alert window as well, though I’m leaving mine set for “Always Allow” for the time being.

These are all trusted sites so hopefully I’m not opening up the browser/system to XSS vulnerabilities or other headaches by dong so.

Choose according to your comfort level.

Hope this helps other’s resolve this annoying (but probably beneficial) security warning.

Still don’t know why it suddenly started popping up last week out of nowhere…  There hasn’t been a new version of NewsFox for some time, and my Flash version has remained current/updated, so no changes there.  Only thing I can figure is it may have had something to do with the recent bump from Firefox (for Windows) version 3.6.6 to the 3.6.7 version now running.  Maybe the schema for handling “about:blank” calls by pages (as handled by NewsFox at least) has been changed slightly in 3.6.7.  I’ve only got speculation at this point.

Cheers!

--Claus V.

10 comments:

Anonymous said...

I'm a bit confused, Firefox 3.6.7 has yet to be released (currently scheduled for July 20). I thought may be you were running nightly builds but those are for Firefox 3.6.8 (or 3.6.8pre to be exact).

Anyway I use Brief for my feeds and have noticed similar behaviour (freeze) on some feed that which have YouTube videos, but I don't get the warning. Although recently I haven't had this issue after having to do a clean install of Firefox 3.6.6 earlier this week and then going back to the nightly builds.

I am kinda surprised Firefox didn't just kill the plugin process as it would now for an unresponsive plugin after about 45 seconds. Which was the only change from 3.6.4 to 3.6.6 (Mozilla skipped 3.6.5 because the branch 1.9.2.5 was being used by Fennec) released 3-days later.

Anonymous said...

Just want to let you know that you post helps.

I have been testing an flash animation file on my local drive all day, run into the same error message like you had. I used Flash CS3 and Firefox 3.6.6.

Once I followed your steps and looked into where the path caused the errors, the problem solved. Thanks so much!

Jessie

Claus said...

@ Jessie - Thanks for the kind words and validation! Glad it wasn't just a weird thing on my own system.

I hoped this would help others.

Cheers!

--Claus V.

Claus said...

@ ffextensionguru -- Actually you and I are both correct. 3.6.6 is the current release version and I am not running nightly builds (at least on my primary Firefox executable).

I'm on the beta update channel. So that usually puts me just a bit ahead of the regular release curve.

Update Channel Selector :: Add-ons for Firefox

Oxymoronical » Update Channel Selector

I had even forgotten about it until your comment.

Also, as you mentioned, I did sometimes get a plugin process "kill" as it indeed it ended the unresponsive Flash plugin element on the page, but that then seemed to freeze my NewsFox session page as well, which required a browser restart. That wasn't really helpful.

Other times it never would kill the plug-in and would just stay frozen.

That's why I found it to be a particularly bothersome annoyance and wasn't one that could be easily ignored.

Kinda was like walking though a minefield checking my feeds. I never knew when one might go off, and if I would walk away from it or not.

This "fix" seems to be holding for now.

Great comments and observations!

Cheers!

--Claus V.

Anonymous said...

Thank You Claus, I have been having this problem for about 2 weeks every time I opened a new tab in Fire Fox 4.1. It was driving me crazy and I couldn't figure it out. This worked like a charm, thanks!!

Kev said...

YOU ARE THE GRAND MASTER - THANK YOU THANK YOU THANK YOU.

Finally after trying to get this flash popup warning to go, i finally did it with your help.....THANK YOU Claus Valca.

I added the "[object]" string into the trust location just as you did with your "about:blank" solution and whalaaa - PROBLEM solved.....

My popup was being caused by the "[object] instead of "about:blank" but the solution was identical.

Keep up the great work sir Claus Valca.

Take care.

Kev

Claus said...

@ Kev - No problem! Glad the tip helped out.

Thank you very much for taking the time to say "thanks" and sharing feedback. It's nice to know folks find these ramblings helpful...especially the old ones!

Cheers!

Claus V.

gast! said...

Thanks man, really weird this bug still appears in the wild though.

about:blank - life saver.

Anonymous said...

Grassy-ass. Fixed a longstanding annoyance in Opera - although it was with "javascript:". I should probably be concerned with the security ramifications, but...

G. Lek said...

Wow. Finally, that annoying message about resource:\\pdf.js is gone!!
This article really helped me a lot!
Thank you very much!