Flash Player security misunderstanding


Up until now, I had been making some incorrect assumptions about Adobe Flash Player’s security model.

I had assumed that a SWF could not access anything outside of the domain from which it had been served, in general, without special allowances made by things like crossdomain.xml or System.security.allowDomain().

What I didn’t realize is that these domain restrictions do not apply to the simple use of, say, loadMovie() to load SWFs or JPGs from other domains! It is true that, in general, one SWF cannot read or alter information from another SWF that is loaded from another domain, but simply loading and displaying is fine.

And all this time I had shelved a number of ideas that I thought weren’t possible because of cross-domain issues. Hmmm…!

For reference, here is Adobe’s white paper on the Flash Player 9 security model (PDF) and a white paper on security-related APIs for ActionScript 1.0 and 2.0 (PDF).

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Information
February 25th, 2007
No Responses
Feeds and Links
Comment Feed
From This Author
Del.icio.us
Digg
Technorati
Categories and Tags
Flash
Security

Other Posts
Hi5 HTML filtering stupidity
Scratch that

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

Reader Comments

Be the first to leave a comment!