tags:

views:

74

answers:

2
+5  Q: 

Restricting SWF file visibility

I have a situation where my main SWF file loads many external SWF files. However, those external SWF files are just sitting in the public folder of the web server.

Is it possible to restrict the SWF visibility to only my main SWF file (the one that loads the external SWFs). In the current state, any user who knows where to look can just type in the URL and get to the SWFs, not to mention rogue bots that don't follow robots.txt.

The reason for this is very simple. Users user a username/password to log into the main Flash application and the main Flash application in turn loads the SWF files and ONLY then they are available to the user. Also, depending on who the logged in user is, some SWF files are restricted and not loaded.

Thanks for any help!

A: 

Depending on how secure you want to be, I can think of a couple of options:

  1. A server-side script to control delivery of your sub-swfs (as Pekka has suggested above).

  2. If want to do everything client-side, you could put a conditional test within each sub-swf, so they will only play from inside your main swf:

Something like if(this.parent.toString() != "mainSwf") { stop();} (in pseudocode).

Granted, this isn't foolproof, since someone could easily make their own parent named "mainSwf", but it would deter casual browsing of your sub-swfs. At least until someone decompiles them...

You could make things slightly harder by setting a property within the main swf, such as var myKey:String="362574036704ry3f0y3432607", then use your conditional to test for it: if(this.parent.myKey != "362574036704ry3f0y3432607") { stop();}.

Sill not terribly secure, though. Hope this helps.

EDIT:

There's also a similar question here, which might have useful answers.

Richard Inglis  2010-03-07 16:12:49
-1 You can't propose a vulnerability on SO, especially if you know its a vulnerability. Decompiling flash or replaying GET requests with tamperdata can bypass your client side security system.
Rook  2010-03-07 18:01:32
@The Rook: Hehe, I'll be sure to read the FAQ more carefully next time! But do let me know how you think GET sniffing is going to crack this method. And yes, sometimes a server-side solution isn't possible for other reasons... guess we live in an imperfect world. :)
Richard Inglis  2010-03-08 09:22:17
+1  A: 

It depends how flash is authenticating. Flash needs to authenticate with a server side application with a database. The server side application can then use a database to perform access control on a per-file basis.

All files should be tracked by a table, contains columns such as the local path to the file as well as user_group or perhaps a user_id. The authenticated session should keep track of the user_id after they have logged in with a username and password.

It is common for attack spiders to use robots.txt against you, if you put these file paths in your robots.txt you are better off just zip them up and give them to the attacker.

It is very easy to decompile flash applications and modify them. Do not rely on "client side" security systems, they are very easy to bypass. An attacker can also replay and modify HTTP requests using tamperdata. You need a server to tell the client what files it can access.

Rook  2010-03-07 17:59:38
Hi, thanks for the reply! I was thinking about using a method like this, but the problem is if the external SWFs are in a protected directory i.e. not publicly visible, then Flash wouldn't be able to load them either, right?I think main problem is that you can't pass SWF objects into a Flash application. Only a Flash application can load SWF objects by referring to an actual URL. So maybe it's not possible? :-(
helloworlder  2010-03-08 05:14:01
Well I suppose if it's not possible I'll have to come to some sort of compromise. The copyright issue regarding SWFs is slightly complex but that's the nature of the business requirement.If it's a security compromise then I have to make that clear to my client. A usability compromise could be another way to go. Perhaps I can turn it into a AIR desktop application instead and users will log into the web application and see the SWFs "belonging" to them available for download. They they download those SWF files from the server onto their computer so that the AIR app can access those files.
helloworlder  2010-03-08 05:53:08

related questions

Are there any good programs for actionscript/flex that'll count lines of code, number of functions, files, packages,etc...
Drawing a custom label on a pie chart in Yahoo's Flash Library ASTRA
Is there a way to render svg data in a swf at runtime?
How can I resize a swf during runtime to have the browser create html scrollbars?
FLVPlayback component memory issues
Create an EXE from a SWF using Flex 3 without requiring AIR?
What are the naming conventions of an AS3 class?
How To Get Label Of Combobox to Fade In Flex
Best Practices for AS3 XML Parsing
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
Printing Flex components in FireFox 3
ActionScript 3.0 sockets can't reconnect
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.