[OSM-newbies] Rendering OSM without Adobe Flash

[Richard Fairhurst]

John Whelan wrote:
> Is it possible?  I note there is a major security problem with Adobe Flash.

Er, no there isn't.

Flash is far from perfect but this alleged 'exploit' is largely  
hysteria. There are three causes and none of them are the Flash Player  
itself:

- Unconfigured webservers which don't send the correct  
Content-Type/Content-Disposition headers;
- Browsers which don't parse Content-Type headers as they should;
- Sites that allow users to upload arbitrary executables, including  
but not limited to Flash.

Since OSM does not (to the best of my knowledge) allow such uploads,  
the issue doesn't arise.

I would recommend reading:
-  
http://blogs.pcmag.com/securitywatch/2009/11/so-called_flash_vulnerability.php
- http://blogs.adobe.com/asset/2009/11/flash_content_and_the_same-ori.html
-  
http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html (the  
article itself is largely hyperbole, but the comments are quite  
informative)

One summary from the latter:

"What this comes down to is that web site administrators (and  
application engineers) need to make sure that untrusted SWF content  
(e.g. message attachments) must not be served over HTTP - they need to  
make sure that the server forces the browser to download the SWF to  
their local filesystem. "

Which is common sense.

As others have pointed out, Flash has nothing to do with OSM rendering  
anyway and if you still like tin hats, other editors are available.

cheers
Richard