How to Site-Lock a Flash Application?

Question

I have a flash application that I am going to put up on my website shortly. I want to be able to "lock it" to the site to prevent:

• Hosting the .SWF on another site (after an illicit download), and
• Preventing the .SWF from opening if included in an iFrame on another site

While allowing:

• A whitelist of sites to be passed through/enabled without me having to define all the variations of a URL (ie: www.abc.com, abc.com, abc.com/game/, games.abc.com, etc.)

There are commercial applications that cost hundreds of dollars to perform this task, but I'm pretty sure it can be done with:

root.loaderInfo.url

Somehow. Does anyone out there know how to go about doing this? My biggest concern is the iFrame prevention, as when sites steal flash they usually just iframe to your own site to save themselves the bandwidth costs.

I'm using Flex SDK (not the Flash IDE) so some pure AS3 code will do the trick for me.

Answer 1

This code will report back the loading URL. You can use it in your main loader to show an unauthorized message or not load at all if it doesn't match what you expect:

public static function Domain(root:Sprite):String {
    var currentDomain:String = root.loaderInfo.url.split("/")[2];
    var fqdn:Array = currentDomain.split(".");
    var rdi:int = 1;
    var tli:int = 2; 
    if (fqdn.length == 2) {
        rdi--;
        tli--;
    }

    return fqdn[rdi] + "." + fqdn[tli];
}

Answer 2

Check refer agents on the server is a common trick used often by image hosts. However the web is fundamentally designed to be flexible in it's linking capabilities and as a such there is no sure fire way to block every possibility. Best solution would be the need for the flash file to contact an auth server and check some strings passed by the original site to it.