Flash Player, security: If a URL starts with "http://" will the SWF always be loaded into REMOTE san

Posted by Pavel on Stack Overflow See other posts from Stack Overflow or by Pavel
Published on 2010-06-05T13:58:47Z Indexed on 2010/06/05 14:02 UTC
Read the original article Hit count: 173

Filed under:
|
|

Seems to be a question for a Flash security guru.

Suppose we are loading an external SWF movie with MovieClipLoader.loadMovie(url:String) Is it safe to assume that if url starts with "http://", the movie will be loaded in REMOTE sandbox?

We need to tell local SWFs from remote ones to close a security hole.

If you need the context read on.

We have developed a Projector, written in C++ embedding Flash Player ActiveX. Our Flash application runs inside the Projector. Soon we want to give our users a way to create plugins for the application. The plugins are obviously will be SWF movies.

The case I'm afraid of is the following. A bad person creates a malicious evil.swf pretending it to be nice plugin for our app. In case evil.swf is loaded from the local file system it is granted an access to the whole MovieClip tree and Projector API, opening C++ file access operations.

On the other hand if evil.swf is loaded from the internet, remotely, it will be locked in REMOTE sandbox by Flash security model.

Because of this, we need a reliable way to tell local SWF from remote one before loading it. And we must not make a mistake.

So again, is it safe to assume that if url begins with "http://", the clip will be loaded inside REMOTE sandbox?

© Stack Overflow or respective owner

Related posts about flash

Related posts about security