7 Replies Latest reply on Jan 24, 2013 11:06 AM by sinious

    Prevent opening the swf without html wrapper

    eprevot123 Level 2

      Do you know how to force a html wrapper to open the swf ?

      I mean, the swf would be able to detect if a html wrapper loaded it or if someone entered the swf path in the url input of its browser.

      I was surprised to see ExternalInterface.available=true when you load the swf directly in the browser.

      There is no difference in the swf loaderInfo, when you load it from html or directly.

        • 1. Re: Prevent opening the swf without html wrapper
          sinious Most Valuable Participant

          Try checking this.loaderInfo.loaderURL and see if the SWF is the file loaded, if so perform a navigateToURL() to a different location.

           

          Speaking of ExternalInterface, you can even use it to get the URL via JS as well because it's enabled:

           

          import flash.external.ExternalInterface;

           

          var pageURL:String = ExternalInterface.call('window.location.href.toString');

          • 2. Re: Prevent opening the swf without html wrapper
            moccamaximum Level 5

            If you are trying to prevent that somebody is downloading your swf, there is no way to do that.

            Modern decompilers directly read the swf out of the browser.

            And hundreds of plugins like this.

            .

            • 3. Re: Prevent opening the swf without html wrapper
              sinious Most Valuable Participant

              There is a protect SWF from import feature that can help protect the SWF but the OP never mentioned protection was important and the global rule in computing always applies. If someone REALLY wants to hack you and has skills, you are getting hacked, period.

              • 4. Re: Prevent opening the swf without html wrapper
                eprevot123 Level 2

                Well, here I just want to avoid people using directly the swf because then they would have ugly errors.

                But if you can provide a link to an effective way of protecting SWF from import sinious, I would be happy to see it !

                 

                I can't use this.loaderInfo.loaderURL, it is the same when you open the swf or through the html.

                But I will use ExternalInterface.call('window.location.href.toString')

                I used something similar to check that the swf is not opened from another domain, I should have thought of that.

                Thank you

                • 5. Re: Prevent opening the swf without html wrapper
                  sinious Most Valuable Participant

                  You're welcome and unfortunately the rules I just mentioned apply. As much as you can do is check off "Protect from import" and assign a password in SWF export options. At least then your SWF cannot be imported into Flash without the password. Beyond that, if someone really wants to hack your SWF there's virtually no way to protect it (or anything else). Rest assured it is very difficult to do and unless you're saving tons of extremely sensitive information in the SWF, I wouldn't worry. Use at least AES encrypted strings everywhere you can if possible use secure methods like encrypted traffic to a database or protected region out of HTTP accessibility. Even then, not to beat a dead horse, if someone REALLY wants to hack you and is skilled, they probably will. Anticipate, protect as best you can and prepare to mitigate as always.

                  • 6. Re: Prevent opening the swf without html wrapper
                    eprevot123 Level 2

                    I don't use Flash CS but only FlashBuilder, I don't think there is a "Protect from import" option.

                    The swf does not hold "extremely sensistive" information but I would just like to protect my work. We offer a paid service but if someone imports, decompiles, and modifies the swf, he may access the service free. There are additional protections on the server side, but as you said if somebody wants, he will. I just want to add the most protections I can.

                    • 7. Re: Prevent opening the swf without html wrapper
                      sinious Most Valuable Participant

                      Even protect from import isn't safe from decompilation. Simple rule, never, EVER save sensitive information or media in a SWF. (I only use FB4.6/4.7 Premium myself as well).