Menu
As you might know, browser's security model does not allow a script loaded in a page from http://www.example.com to make cross-domain requests (no AJAX calls to any other domain other than www.example.com). The Javascript file itself could have been served from a different domain altogether (www.javascript.com/myscript.js) and that is irrelevant. This is the Same-Origin Policy.
Flash also has something similar? But does Flash treat the origin to be the HTML page where the .swf file was loaded or origin is the domain which served the .swf file?
So http://www.example.com loads a .swf file from http://www.swf.com/myflash.swf. Now .swf can load resources only from www.example.com or only www.swf.com? I'm assuming there are no cross-domain.xml files setup on either example.com or swf.com.
359
Cross-Domain JavaScript Requests allow developers to work around security restrictions that would prevent an application from contacting Places (Search) API directly. For example, certain location information might not be retrievable without enabling this method.
Description: Flash cross-domain policy The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain that publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application.
A cross-domain policy is simply a user-defined set of permitted data access rules encapsulated in a crossdomain. xml file. It is only viable on servers that communicate via HTTP, HTTPS, or FTP. A cross-domain policy file is an XML document that grants a web client permission to handle data across one or more domains.
Cross-domain measurement works by sharing the client ID between a source domain and a destination domain. The client ID is stored in the browser's cookies, which means it can only be accessed by pages on the same domain.
I think, this article explains a lot about the problem you mention: http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html
From there:
For website owners, all user-supplied content should be served from a completely separate domain. This is already implemented by Yahoo mail, Hotmail, Wikipedia, and many other major websites, but a huge variety of self-contained web applications do not do so (and if I can, for example, upload a malicious file to "apiwiki.twiitter.com", I can perform cross-subdomain cookie attacks). A partial solution was made possible by Flash 10,0,0,2: SWF files served with a "content-Disposition: attachment" header will not execute when embedded in a web page. If all user-generated content is served with this header (not a bad idea in any case), it may limit your exposure, but this is not a very robust solution.
It sounds like if you serve the content from a different domain and there are no cross-domain policy files, then flash cannot access files from your main server.
Also, this article: http://supergeekery.com/index.php/geekblog/2009/12 states that
And everything I write should be able to trust each other and share with each other. You may wonder if Flash Ads are a problem. Do they have this problem? No, there are Flash ads all over the internet, but since they are almost never hosted on the same server as the domain you’re visiting, they don’t get to access the data the web site’s primary code’s data. Cool.
53
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
