How can I get around Safari's XSS auditor for rendering remote flash objects on POST?

Question

I have a form that allows you to embed YouTube videos, and when it POSTs it renders the YouTube video. The problem is that Safari (since 5.0) has an XSS Auditor that throws this

Answer 1

The spec for POST indicates a redirect:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

If a resource has been created on the origin server, the response SHOULD be 201 (Created) and contain an entity which describes the status of the request and refers to the new resource, and a Location header (see section 14.30).

Responses to this method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields. However, the 303 (See Other) response can be used to direct the user agent to retrieve a cacheable resource.

Since you said it works on subsequent GET requests, does that mean that you're trying to return the embedded object directly in the POST response? If so, seems against the spec, and the XSS Auditor might be in the right here. If I misunderstood the issue, can you clarify?

Answer 2

I resolved this with abarth on #webkit:

Safari 5 is trying to prevent a reflective XSS attack, by not allowing embeds that appear in the POSTed params.

There are two things I can do:

1. I can send the X-XSS-Protection: 0 header, which indicates that I know what I'm doing, and can protect against XSS myself.
2. I can not send the embed code in a param, which is actually a viable option for me, as the embed codes are stripped by the backend anyways.