0 Replies Latest reply on Jul 8, 2008 5:45 PM by tragicallybored

    Securely embedding a swf within another swf

    tragicallybored
      Hi everyone,
      I am wondering how to best secure embedded swf files. We have a site where 3rd party users can upload their own custom swf files that we then display on our site. Our app itself runs on flex 3, and when we display the 3rd party swfs, we had, in the past, used the SwfLoader class to do so.

      One problem with this was that it opened up a XSS vulnerability. Our app needs both network and scripting turned on, and because we're loading the 3rd party swfs from the same domain, the allowScriptAccess="sameDomain" doesn't work to weed out the bad swfs. Due some load balancer issues, we can't simply switch to use the IP address instead of the domain name (as I've seen suggested in some places).

      Our current work around is to create an IFrame, place it over the swf, and inside the IFrame load up the 3rd party swf with allowNetworking="none" and allowScriptAccess="never", but this is a bit hacky and will be tricky to get right for resizing/etc.

      I am wondering if there is a better way to solve this problem? Ideally, the SwfLoader would also allow the developer to specify whether the swf to be loaded should have script/network access in the Load() call. Am I missing something obvious?

      Thanks in advance.