13 Replies Latest reply on Jun 16, 2010 11:13 AM by Flex harUI

    Crossdomain Image and smoothing security...

    EvaRevres

       

       

       

      Hi there,

       

      I have once again the big problem of loading images from all around the www (my users just type urls to their images, not I do). Everything works fine if I just use an <mx:Image> element to load those images into my flex app. The problem is, that I cannot read the Bitmap content and so even build in functions like smoothBitmapContent (from SDK 3.5+) do not work when no "crossdomain.xml" exists on the foreign server.Took me some hours to finally understand why this stuff does not work.

       

      I have now either really crappy pictures (if scaled in any way you can read almost nothing on them anymore) or no pictures because of sandbox restrictions. As far as I understood the reason is that your app should not trust the foreign data that is delivered and executed inside your Flash context. Because somebody could deliver an evil swf that could ready data that it should not read and so on. But why does the other host require a crossdomain.xml? Does the other sever need to tell me that I can trust his images? This doesn’t make much sense does it?

       

      I found some examples of a image proxy for my server, but this is not how it should work and I don’t want to bundle all bandwidth on my “small” server if image hosters have hundreds of servers to load images in proper time.

       

      Any HTML page can load the same images and manipulate them without such restrictions. If there no workaround to that problem? Shall I start over and turn to HTML5 instead?

       

       

        • 1. Re: Crossdomain Image and smoothing security...
          Flex harUI Adobe Employee

          You can load Images from anywhere and display them, but you can't manipulate

          the data.   I don't know if HTML's security model has holes in it, but Flash

          is pretty restrictive on purpose.

           

          That's because when a Flash SWF is running, it is running in the client's

          browser inside the firewall.

          • 2. Re: Crossdomain Image and smoothing security...
            jsd99 Level 3

            You can set trustContent="true" on your mx:Image and that will allow the smoothing to work.

             

            I agree with you in principle that Flash is far too restrictive, but we're stuck with it.

            • 3. Re: Crossdomain Image and smoothing security...
              Flex harUI Adobe Employee

              There may be a few places where we're being too restrictive, but Flash

              security model is one of the reasons Flash is everywhere.  We cannot afford

              to let Flash become the platform of choice for people writing viruses and

              spyware.

               

              The same lock that keeps you from getting to the keys you just locked in

              your car is the same lock that prevents someone else from taking your car.

              • 4. Re: Crossdomain Image and smoothing security...
                jsd99 Level 3

                Flex harUI wrote:

                 

                There may be a few places where we're being too restrictive, but Flash

                security model is one of the reasons Flash is everywhere.  We cannot afford

                to let Flash become the platform of choice for people writing viruses and

                spyware.

                 

                The same lock that keeps you from getting to the keys you just locked in

                your car is the same lock that prevents someone else from taking your car.

                 

                I'm sorry harUI but if it's a HTTP URL that you are trying to do a GET on, which any browser in the world can do without restriction, there should be NO limitation on what Flex/Flash lets you do with the data once you have it.  All these workarounds like running your own proxy on the same domain put the lie to the notion that it's more secure anyway.  If the other domain wants to block you from GETting or POSTing they can use the access control facilities of their server software.  Flash shouldn't be erecting artificial barriers.

                • 5. Re: Crossdomain Image and smoothing security...
                  Flex harUI Adobe Employee

                  I am not a security expert so please review the security whitepapers on the

                  Adobe site, but I think you are missing a key point.  Note also that I am

                  not an expert servers either, but the point is this:

                   

                  A proxy server request has a header that contains the requesting domain

                  which will be whatever domain you make the request from.  The Flex/Flash

                  request will come from the user's computer, not from that domain and as

                  such, cannot be blocked as easily.

                   

                  A Flex SWF is a traveling salesperson.  When you click on a link and launch

                  it, because it runs in your browser, you are basically opening your door and

                  inviting that salesperson into your home.  We have to make sure that person

                  you let in your house doesn't steal you stuff while he's there.

                  • 6. Re: Crossdomain Image and smoothing security...
                    EvaRevres Level 1

                    Hmm I do understand that flash has it's security model and this is fine. But I don't understand why an other server tells me if his data is secure to me or not. I can load the image from everywhere (which is great so far) but can't smoth it because the flash client fears dangerous data from that unknown host - also clear and senseful. But now the Server has a crossdomain.xml file with "*" so anybody can access this data - now the same image data is trusted by the flash player - this doesn't make much sense. This is like asking the malware producer if his virus is save for me to be installed.

                     

                    I would expect a policy on side of the flash app to decide where the user can load images from, which formates are allowed or something like that.

                     

                    I have also tried: trustContent="true" but this changed nothing so far. Maybe I missed something else here?

                     

                    Can I make a screenshot of an image somehow so that I can use the data in a "copy" ?

                    • 7. Re: Crossdomain Image and smoothing security...
                      Flex harUI Adobe Employee

                      If you have permission via crossdomain.xml, then yes, you should be able to

                      load the image and manipulate the data.  You may need to supply a custom

                      loaderContext with the checkPolicyFile flag set to true.

                       

                      Remember, you are the person invited into someone else's home.  The server's

                      crossdomain.xml is the allowing you to actually touch their stuff instead of

                      just look at it.  There is no way the security model would allow a stranger

                      to make that kind of decision, only the homeowner can.  However, as the

                      stranger, you have to decide whether to touch their stuff.  It could in fact

                      be dangerous to you as well.

                      • 8. Re: Crossdomain Image and smoothing security...
                        jsd99 Level 3

                        Flex harUI wrote:

                         

                        Remember, you are the person invited into someone else's home.  The server's

                        crossdomain.xml is the allowing you to actually touch their stuff instead of

                        just look at it.  There is no way the security model would allow a stranger

                        to make that kind of decision, only the homeowner can.  However, as the

                        stranger, you have to decide whether to touch their stuff.  It could in fact

                        be dangerous to you as well.

                        See, this is where Flash's security model makes no sense.  If I'm using PHP or .NET or any other language in the world, I can get all the bytes from an HTTP GET request and do whatever the hell I want with them, server be damned.  It's only Flash that is specifically preventing me from accessing them, it's not the policy of the server that's serving the object.  If the server didn't want me to be able to look at the bytes in a response, it would not satisfy the request in the first place.  Once the data have been transmitted over the network, there should be no restriction on what I can do with them.

                         

                        I have a similar objection to Flash's restriction on reading response headers.  If the server returns a 302 redirect, why can't I get at the contents of the redirection header?  I know it's not supported by the browser plugin API but WHY NOT?  It makes working with YouTube, for example, needlessly difficult.  What possible security issue could there be?  The server is returning an important piece of information, they certainly don't mean for it to be kept a secret.

                         


                        Sorry, rant over...

                        • 9. Re: Crossdomain Image and smoothing security...
                          Flex harUI Adobe Employee

                          I don't know much about PHP or .NET, but I think those are server-side

                          technologies and I think we agreed that server requests can be blocked from

                          certain domains if the responding server wants to, and crossdomain.xml

                          serves as that permission slip for browser HTTP requests.

                           

                          Once someone decides they don't want your server getting data off of their

                          server and block you, then if you can still write javascript to run in the

                          browser and get at the image bytes and then display a modified set of those

                          bytes as an image, folks would be exploiting that for phishing attacks.

                           

                          Flash does not allow that and thus is trusted by most people and has enjoyed

                          significant penetration because of that.  It is quite simple:  If someone

                          locks a door from the inside, Flash should not let you unlock that door from

                          the outside.

                           

                          The header thing has been discussed in previous threads.

                          • 10. Re: Crossdomain Image and smoothing security...
                            EvaRevres Level 1

                            Hmm oki well there is no solution inside Flash I guess to this problem. So what about JavaScript? We could load an image from everywhere by JavaScript or just HTML and than may use a Flash callback to push the image Data to Flash?

                             

                            <img id="img" src="somehere.com/test.png" />

                             

                            <script>

                            flexApp.setImageDate("img",getElementById("img").something);

                             

                            I don't know if there is something like this in JavaScript/HTML but maybe somebody have an idea?

                            • 11. Re: Crossdomain Image and smoothing security...
                              Flex harUI Adobe Employee

                              I am not a Javascript expert, but I doubt there is a way to access the

                              bitmap from an

                              tag in HTML.  If there was, folks would be exploiting

                              it to steal data from people and it would get closed shortly.

                               

                              Basically, you are trying to accomplish something that should require

                              explicit permission (via crossdomain.xml).  My analogy is that it would be

                              great if nobody locked their doors so I could stop in and use their bathroom

                              whenever I needed it without asking since I'm an honest person and will

                              clean up after myself, but then the bad guys would also come in.

                               

                              Mean people are the reason we have security measures that get in our way.

                              Every time you fly or lock your car or house door and windows it is because

                              mean people suck.

                              • 12. Re: Crossdomain Image and smoothing security...
                                jsd99 Level 3

                                Flex harUI wrote:

                                 

                                I am not a Javascript expert, but I doubt there is a way to access the

                                bitmap from an

                                tag in HTML.  If there was, folks would be exploiting

                                it to steal data from people and it would get closed shortly.

                                How can you steal that which is being given away freely?

                                • 13. Re: Crossdomain Image and smoothing security...
                                  Flex harUI Adobe Employee

                                  The display of an image is free, but the manipulation of the bytes to modify

                                  the image is not.  "Look but don't touch".