I am wondering how to best secure embedded swf files. We have
a site where 3rd party users can upload their own custom swf files
that we then display on our site. Our app itself runs on flex 3,
and when we display the 3rd party swfs, we had, in the past, used
the SwfLoader class to do so.
One problem with this was that it opened up a XSS
vulnerability. Our app needs both network and scripting turned on,
and because we're loading the 3rd party swfs from the same domain,
the allowScriptAccess="sameDomain" doesn't work to weed out the bad
swfs. Due some load balancer issues, we can't simply switch to use
the IP address instead of the domain name (as I've seen suggested
in some places).
Our current work around is to create an IFrame, place it over
the swf, and inside the IFrame load up the 3rd party swf with
allowNetworking="none" and allowScriptAccess="never", but this is a
bit hacky and will be tricky to get right for resizing/etc.
I am wondering if there is a better way to solve this
problem? Ideally, the SwfLoader would also allow the developer to
specify whether the swf to be loaded should have script/network
access in the Load() call. Am I missing something obvious?