Hey All,

I've been working on integrating this great module into our new drupal 5.x powered site. So far so good with most other providers but I am getting this weird security error with Vimeo Videos.

SecurityError: Error #2060: Security sandbox violation: ExternalInterface caller http://bitcast.vimeo.com/vimeo/swf/moogaloop.swf?clip%5Fid=993998&server... cannot access http://new.unitedliberty.org/content/awsome-but-bizarre-graffiti-animation.

At first, this was occuring in Firefox and IE. I investigated the error and while there wasn't very much to go on, I found that it could be related to "allowscriptaccess" in the embed. I updated vimeo.inc with an embed that mimics the latest embed provided by vimeo when you click embed on a video. It looks like this:

$output = '<object type="application/x-shockwave-flash" width="'. $width .'" height="'. $height .'" data="http://www.vimeo.com/moogaloop.swf?clip_id='. $embed .'&amp;server=www.vimeo.com&amp;fullscreen='. $fullscreen .'&amp;show_title='. $show_title .'&amp;show_byline='. $show_byline .'&amp;show_portrait='. $show_portrait .'&amp;color='. $color .'">';
    $output .= '<param name="quality" value="best" />';
    $output .= '<param name="allowfullscreen" value="'. ($fullscreen ? 'true' : 'false') .'" />';
    $output .= '<param name="scale" value="showAll" />';
    $output .= '<param name="allowscriptaccess " value="always" />';
    $output .= '<param name="movie" value="http://www.vimeo.com/moogaloop.swf?clip_id='. $embed .'&amp;server=www.vimeo.com&amp;fullscreen='. $fullscreen .'&amp;show_title='. $show_title .'&amp;show_byline='. $show_byline .'&amp;show_portrait='. $show_portrait .'&amp;color='. $color .'" />';
    $output .= '<embed src="http://vimeo.com/moogaloop.swf?clip_id='. $embed .'&amp;server=vimeo.com&amp;show_title=1&amp;show_byline=1&amp;show_portrait=0&amp;color=&amp;fullscreen='. $fullscreen .'" type="application/x-shockwave-flash" allowfullscreen="'. ($fullscreen ? 'true' : 'false') .'" allowscriptaccess="always" width="'.$width.'" height="'.$height.'"></embed>';
    $output .= '</object>';

This seems to have stopped the security warning in Firefox but I am still getting it in IE. You can look at the error for yourself at this url: http://new.unitedliberty.org/content/awsome-but-bizarre-graffiti-animation (this is a beta version of the site, once we iron out all bugs it will be moving to www.) We added a crossdomain.xml with a * allow.

Thanks for your help, and let me know if any other inf would be useful. I'll post back here if we solve the problem in the mean time.

Comments

te-brian’s picture

te-brian commented

EDIT: URL has been changed to http://new.unitedliberty.org/videos/awsome-but-bizarre-graffiti-animation but I am doing some debugging so the state of that page may not be useful at any given moment.