Skip navigation
NoMan\'sLand
NoMan\'sLand Calculating status...
Currently Being Moderated

Please help about SWFLoader security

May 13, 2012 11:10 PM

Tags: #security #swfloader

I have a Flex4.5 application who run on Flash Player.

 

I'm uploading a swf file by FileReference controls, then preview it by SWFLoader controls.But I do not want the action script in uploaded swf can visit my action script in my Flex main application.How can I do?

 

Thanks!

706 Views   5 Replies   Latest reply: Flex harUI, May 16, 2012 10:00 AM
 
Replies
  • Flex harUI
    Currently Being Moderated
    1. Flex harUI,
    May 14, 2012 8:07 AM   in reply to NoMan\'sLand
    Report

    If the AS is required to preview then the preview won’t work.  But if you load the SWF from a different subdomain it will load into its own sandbox where the AS can do less damage, although some SWFs cannot run in a sandbox.

     
    |
    Mark as:
  • NoMan\'sLand
    Currently Being Moderated
    2. NoMan\'sLand,
    May 15, 2012 6:21 PM   in reply to NoMan\'sLand
    Report

    Thanks,but have't other easier methods? I want to save the swf file in server-side after previewing it.

     
    |
    Mark as:
  • Flex harUI
    Currently Being Moderated
    3. Flex harUI,
    May 15, 2012 10:48 PM   in reply to NoMan\'sLand
    Report

    You can try allowCodeImport, but again, if the SWF needs to run code, it might still fail.

     
    |
    Mark as:
  • bingfei001
    Currently Being Moderated
    4. bingfei001,
    May 16, 2012 1:14 AM   in reply to Flex harUI
    Report

    I've met the same problem.

    If a local swf file is written to byte array by FileReference and assign the byte array to SWFLoader' source,

    loaded swf runs at same sandbox as the main application.

    So loaded swf can access main application' resource.That is a security risk.

     

    Why locally loaded swf can access remotly loaded main application's resource?

     
    |
    Mark as:
  • Flex harUI
    Currently Being Moderated
    5. Flex harUI,
    May 16, 2012 10:00 AM   in reply to bingfei001
    Report

    Again, you can use allowCodeImport to block running script in the child.

     

    Did you run your test from http://  The security rules are tighter there, and the loaded SWF should be calling from the main apps domain.  It is my understanding that you’ve effectively done a WGET.

     
    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points