如何安全地嵌入任何Flash文件(SWF)? (How to safely embed any flash file (swf)?)

問題描述

如何安全地嵌入任何 Flash 文件 (swf)? (How to safely embed any flash file (swf)?)

我想讓我的用戶在他們的帖子中嵌入他們自己的 Flash 動畫。通常,實際文件託管在一些免費的圖像託管站點上。除非用戶單擊要播放的按鈕,否則我實際上不會加載 Flash(因此在頁面加載時不會自動播放)。我知道人們可以在 Flash 中做出一些非常煩人的廢話,但我找不到任何有關 Flash 應用程序可能對查看者造成的潛在嚴重損害的信息。

它不安全嗎?嵌入互聯網上的任何 Flash 文件?如果是這樣,我怎樣才能讓用戶嵌入無辜的動畫但仍然阻止有害的應用程序?

編輯:

據我所知,最明顯的威脅是動作腳本重定向您訪問了惡意網站。

Adobe

You could get the same protection by hosting your flashes on a different subdomain, since flash considers this the same as a completely different domain.

方法 2:

When embedding SWFs from unknown sources, it is also best practice to throw a mask on the Loader so that the loaded SWF can't take over more screen real estate than expected.

Pseudo‑code to do so:

var maskSpr : Sprite = new Sprite();
maskSpr.graphics.beginFill();
maskSpr.graphics.drawRect(0,0,safeWidth,safeHeight);
maskSpr.graphics.endFill();
myLdr.mask = maskSpr;

方法 3:

There is actually more than one option.

To be totally safe, set allowScriptAccess=never and allowNetworking=none and the swf will have no access to anything outside of itself.

NOTE: allowNetworking is only in Flash Player 9 (it was created in response to various myspace worms), so you'll need to use SWF Object to insure that only users with the right flash player version or better have the flash loaded.

If you want to enable things like youtube videos, though, you can't set allowNetworking to "none". Fortunately, there is an intermediate level of security for this field ‑ "internal" which lets the SWF talk to its hosted domain.

Also note that you better not have a crossdomain.xml file on your site ‑ read more about those dangers here and other places.

Here are some other sites that are mentioned by other answers that go into more detail:

http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps_04.html

http://blogs.adobe.com/stateofsecurity/2007/07/how_to_restrict_swf_content_fr_1.html

方法 4:

As an example Drupal has a scenario of how allowing flash content from users could be a security concern.

方法 5:

Adobe says you can set allowScriptAccess=never and allowNetworking=none and the swf should have no access to anything outside of itself. Although allowNetworking is only in Flash Player 9, so users with earlier versions of Flash would still be susceptible to some exploits.

Creating more secure SWF web applications : Security Controls Within the HTML Code

How to restrict SWF content from HTML

(by dsimsgrapefruktRickDTpbarryRedWolvesdsims)

參考文件

  1. How to safely embed any flash file (swf)? (CC BY‑SA 2.5/3.0/4.0)

#Security #flash #embed




相關問題

只允許 oracle db 登錄到特定的應用程序? (Allowing oracle db login only to specific application?)

在桌面應用程序中保存用戶名和密碼 (Saving username & password in desktop app)

如何使用算法 RSA/ECB/PKCS1Padding 通過 JavaScript 解密加密字符串 (How to decrypt through JavaScript of encrypted string using algorithm RSA/ECB/PKCS1Padding)

wcf:將用戶名添加到消息頭是否安全? (wcf: adding username to the message header is this secure?)

沒有 .htaccess 的安全目錄密碼保護 (Secure directory password protection without .htaccess)

無法在 Oracle 表上創建簡單視圖 (Unable to create a simple view on Oracle table)

當請求來自調度程序時,無法寫入 App_Data (Cannot write in App_Data when request is from scheduler)

安全的 PHP 文件上傳 (Secure PHP file uploading)

Grails Spring 安全配置通過 xml (Grails Spring Security Configuration thru xml)

醫療應用的安全要求 (Security Requirements for Medical Applications)

如何保護 Silverlight 應用程序 (How to Secure Silverlight Application)

在使用 azure 流量管理器和 azure 應用程序網關與 WAF 時實現國家級阻止 (Achieve country level blocking while using azure traffic manager and azure application gateway with WAF)





留言討論