問題描述
如何安全地嵌入任何 Flash 文件 (swf)? (How to safely embed any flash file (swf)?)
我想讓我的用戶在他們的帖子中嵌入他們自己的 Flash 動畫。通常,實際文件託管在一些免費的圖像託管站點上。除非用戶單擊要播放的按鈕,否則我實際上不會加載 Flash(因此在頁面加載時不會自動播放)。我知道人們可以在 Flash 中做出一些非常煩人的廢話,但我找不到任何有關 Flash 應用程序可能對查看者造成的潛在嚴重損害的信息。
它不安全嗎?嵌入互聯網上的任何 Flash 文件?如果是這樣,我怎樣才能讓用戶嵌入無辜的動畫但仍然阻止有害的應用程序?
編輯:
據我所知,最明顯的威脅是動作腳本重定向您訪問了惡意網站。
方法 2:
When embedding SWFs from unknown sources, it is also best practice to throw a mask on the Loader so that the loaded SWF can't take over more screen real estate than expected.
Pseudo‑code to do so:
var maskSpr : Sprite = new Sprite();
maskSpr.graphics.beginFill();
maskSpr.graphics.drawRect(0,0,safeWidth,safeHeight);
maskSpr.graphics.endFill();
myLdr.mask = maskSpr;
方法 3:
There is actually more than one option.
To be totally safe, set allowScriptAccess=never and allowNetworking=none and the swf will have no access to anything outside of itself.
NOTE: allowNetworking is only in Flash Player 9 (it was created in response to various myspace worms), so you'll need to use SWF Object to insure that only users with the right flash player version or better have the flash loaded.
If you want to enable things like youtube videos, though, you can't set allowNetworking to "none". Fortunately, there is an intermediate level of security for this field ‑ "internal" which lets the SWF talk to its hosted domain.
Also note that you better not have a crossdomain.xml file on your site ‑ read more about those dangers here and other places.
Here are some other sites that are mentioned by other answers that go into more detail:
http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps_04.html
http://blogs.adobe.com/stateofsecurity/2007/07/how_to_restrict_swf_content_fr_1.html
方法 4:
As an example Drupal has a scenario of how allowing flash content from users could be a security concern.
方法 5:
Adobe says you can set allowScriptAccess=never and allowNetworking=none and the swf should have no access to anything outside of itself. Although allowNetworking is only in Flash Player 9, so users with earlier versions of Flash would still be susceptible to some exploits.
Creating more secure SWF web applications : Security Controls Within the HTML Code
How to restrict SWF content from HTML
(by dsims、grapefrukt、RickDT、pbarry、RedWolves、dsims)