How can I get around Safari's XSS auditor for rendering remote flash objects on POST?

Question

I have a form that allows you to embed YouTube videos, and when it POSTs it renders the YouTube video. The problem is that Safari (since 5.0) has an XSS Auditor that throws this

Answer 1

I resolved this with abarth on #webkit:

Safari 5 is trying to prevent a reflective XSS attack, by not allowing embeds that appear in the POSTed params.

There are two things I can do:

1. I can send the X-XSS-Protection: 0 header, which indicates that I know what I'm doing, and can protect against XSS myself.
2. I can not send the embed code in a param, which is actually a viable option for me, as the embed codes are stripped by the backend anyways.