Reputation: 135
Block external access to swf
I have implemented an SWF application which I host to my website and use object and embed tags to load it in.
I observed that the same SWF file is referenced by external websites using the above html tags. Is there a way to block these references?
I tried setting X-Frame-Options to SAMEORIGIN but it didn't work.
Thank you in advance.
Upvotes: 1
Views: 78
Answers (1)
Reputation: 7316
If they steal your SWF to put it on their domain, use VC.One's advice. Then, if they are hotlinking it... let's do some magick.
When SWF loads a relative url, the request (luckily) goes via browser and browser retrieves the url relative to the topmost document frame.
Regardless, your SWF still belongs to your domain, so its security sandbox does.
Split your SWF into 2 parts (lets name them Outer and Inner, Outer starts first, then it loads Inner) that does not work without each other (share classess, access each other display list, etc). Domainlock them to your domain, so none of them starts from other domain. And a final move: Let Outer load Inner via relative url.
- If evil guys put both SWFs on their site, they won't start via domainlock.
- If evil guys hotlink Outer SWF, it will try to load Inner SWF from the wrong place.
- If evil guys copy Inner to their site so Outer loads it via relative link, Inner and Outer will have security violation trying to access each other's content.
If splitting the SWF is not an option, there's still more complicated solution with the use of server-side script.
UPD.
Lets say your application have class A that uses class B. In order to make the technique above work you need to compile Outer with class B only and Inner with class A only, and where A uses B instead of compile-time access import B you should use run-time assess B = getDefinition("B") as Class. If genuine Outer loads genuine Inner properly, then getDefinition("B") will indeed return class reference to B and all B functionality will be available. In any other case getDefinition("B") will fail and A will not be able to function properly.
Upvotes: 1
Related Questions
- Is it possible to secure swf files?
- SWF and Actionscript 3 security
- Can I block a nested swf to make http calls?
- Flash: can I forbid ExternalInterface access to loaded SWF?
- How to protect swf files from being view?
- How to block embed flash access to the internet?
- Is it possible to prevent a locally-running SWF (AS3) from downloading from my website?
- SWF hosting security
- Restricting SWF file visibility
- How do I protect my Flash/Flex SWF with code?