Permissions Denied to get Property location.toString in FireFox 3

July 02, 2008 @ 1:31 pm- from Geneva, Switzerland

Since installing FireFox 3, including earlier betas, I've been getting errors that show up on a host of different sites - including on my own. It appears that most errors are related to the advertising that runs here and more specifically Flash ads. While the errors are harmless enough and don't actually cause any noticeable problems on pages or even the Flash ads, they do show as annoying errors in Firebug.

The errors displayed look something like this and they always seem to point at some baffling unrelated JavaScript content in the HTML document:

The above screen shot is from Yahoo's news page to a linked item and is clearly related to Flash components as evidenced by the script filename. What's interesting is that these errors started showing up only with FireFox 3.0. Running IE or FireFox 2.x never ran into these issues, so it appears that this is related to some new security feature in FF3.

The problem is fairly prevalent and it seems that most of it is related to content loaded into separate frames - as many ad services do. Google Adsense seems a frequent problem as well as other services that use Flash or even HTML based content typically loaded into iFrames dynamically.

I've been searching around for some time trying to determine what causes this error and maybe more interestingly what security setting controls this particular error. I hate seeing errors - any errors in Firebug pop up. While there are a number of hits on this particular error none seem to point at a the same situation I'm seeing here namely with Flash components.

[updated - comments where down this morning and a few emailed comments where sent]

As Dave Ward pointed out in a message earlier today while my comments where down, the issue seems to be related to changes in the Flash player and cross domain policy. He sent this link that explains more and indeed adding a crossdomain.xml file solves the issue:

http://willperone.net/Code/as3error.php

Still this is not very satisfying. While that solves the problem for me on my site (in testing only), it doesn't address the errors on other sites that haven't updated their cross-domain files.

Posted in HTML

Feedback for this Weblog Entry

re: Permissions Denied to get Property location.toString in FireFox 3
by kL July 03, 2008 @ 4:20 pm

Why would you allow 3rd parties to access everything on your site? It's a warning about attempted security breach and your solution is to open doors wider?

Just tell your advert provider to stop snooping around your pages and user-private data on them.

re: Permissions Denied to get Property location.toString in FireFox 3
by Richard July 04, 2008 @ 3:03 am

kL: The problem here is not related to third parties snooping on your users.

Third parties can't access page data if the third party is in a cross-domain iframe; that's already handled by browser security, and that's partly why ads are served into iframes. If it's not served into an iframe there is little or no security available anyway.

A crossdomain.xml file doesn't affect what third parties can see in the browser, just what files Flash can access on the domain. The only additional issue is risking CSRF attacks - but these should already be blocked by appropriate security measures server-side.

The problem is that a combination of changes in FireFox 3 and Flash 9.0.124.0 is causing this obscure error to pop up on a wide range of pages across the internet. People should certainly be aware of the CSRF issues with a wildcard crossdomain.xml, but if it works it is still a valid solution.

re: Permissions Denied to get Property location.toString in FireFox 3
by Rainer July 04, 2008 @ 1:22 pm

Hi Rick,

Did you know that Flash Player 10 beta 2 is released.

http://labs.adobe.com/downloads/flashplayer10.html

re: Permissions Denied to get Property location.toString in FireFox 3
by Joe September 09, 2008 @ 2:34 am

Any thing else on this topic? I am just trying to get the height from the main page through an iframe. This problem does seem to be causing a lot of problems for the ad networks.
thanks