Prevent swf file from executing scripts that load external files

0
votes

I want to know if it is possible to prevent a user created swf file from loading external content. If users are allowed to upload swfs to my site and display their swfs on their pages is it possible to prevent that swf from loading external images scripts etc...

To clarify:

The swf will be stored on the same domain as the website.

E.g.

www.example.com/user123

would display file:

www.example.com/usercontent/swfs/user123.swf

How do I prevent it from requesting:

www.anotherexample.com/images/someimage.jpg

I am thinking possibly a preloader would work so all swfs (that I can't control) get loaded into a preloader (which I can create/control) which has code in it that stops the child swf from executing as3 functions like:

var imageLoader:Loader = new Loader();
var image:URLRequest = new URLRequest("www.anotherexample.com/images/someimage.jpg");

So I would need to block any flash functions that load content.

Would also need to know how deal with actionscript 2. This could possible be restricted by only allowing as3 swfs somehow.

1
actionscript-3flashactionscript-2

1 Answers

0
votes

I think you are looking at setting this in your embed object tag for the swf:

<param name="allowScriptAccess" value="sameDomain" />

The default setting for allowScriptAccess is "sameDomain" which means that if the SWF and the surrounding HTML were both served from the same fully qualified domain name, then the SWF can communicate with the HTML's DOM and access data such as cookies or form data. If the HTML and SWF are served from different domains, then the SWF cannot access the surrounding HTML.

You might also want to look into:

<allow-access-from domain="*"/>

More info regarding that here: Cross domain policy file