Flasher Archive

[Previous] [Next] - [Index] [Thread Index] - [Previous in Thread] [Next in Thread]


Subject: RE: FLASH: Flash Functionality Verification - about security
From: JGL
Date: Fri, 30 Jun 2000 20:38:41 +0100

Just curious, but anything you would want to to that was potentially
damaging served from another server, would you not be able to just do it
through encoding the url? Or is that not possible either . . .

sign me
not try to find a new hack, just curious . . .
JGL

-----Original Message-----
Hi John,

You wrote:

>I would appreciate verification, or better yet refudiation, that Flash
>does not allow the loading of variables from Domains other than
>the one servicng the movie.


Indeed, this change was made to prevent potential abuse.

If a Flash movie is allowed to access data from any domain, a malicious
author could make a movie that targets an internal server behind a firewall,
and potentially send that data back to any remote location they wish. That
would be bad.

With the suggested server script, this means the script runs on YOUR domain.
Much safer.

Our TechNote on this is here:

Load Variables from a data source on another domain is not working
#14123
http://www.macromedia.com/support/flash/ts/documents/loadvars_security.htm

I understand people's points about the convenience of executing server
scripts from anywhere, but this also leaves the door open to abuse. There
are lots of companies and institutions that use Flash because it is safe.
Allowing this potential abuse would certainly sour a lot of people on the
Flash Player and its security. As it is now, it's very safe.

Matt



flasher is generously supported by...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
flashforward2000 and the Flash(tm) Film Festival
July 24-26, 2000, NEW YORK CITY, Hammerstein Ballroom
www.flashforward2000.com
Produced by United Digital Artists and lynda.com
Sponsored by Macromedia, Adobe Systems, Fusion, Inc, AtomFilms,
shockwave.com and Electric Rain.
1.877.4.FLASH.4 or (1.805.640.6679 outside the US and Canada)
Register before June 30 and save $200!!-- www.flashforward2000.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To unsubscribe or change your list settings go to
http://www.chinwag.com/flasher or email helpatchinwag [dot] com


Replies
  Re: FLASH: Flash Functionality Verificat, Matt Wobensmith

[Previous] [Next] - [Index] [Thread Index] - [Next in Thread] [Previous in Thread]