Javascript :: Looking For Resources To Explain A Security Risk?
Jun 18, 2010
I've a developer which has given users the ability to download a zip archive which contains an html document which references a relative javascript file and flash document.The flash document accepts as one of it's parameters a url which is embedded in the html document. I believe that this archive is meant to be used as a means to transfer an advertisement to someone who would use the source to display the ad on their site, however the end user appears to want to view it locally.When one opens the html document the flash document is presented and when the user clicks on the flash document it redirects to this embedded url. However, if one extracts the archive on the desktop and opens the html document in a browser and clicks the flash object, nothing observable happens, they will not be redirected to the external url.
I believe this is a security risk because one is transferring from the local computer zone to an external zone.I'm trying to determine the best way to explain this security risk in the simplest of terms to a very end user. They simply believe it's "broken" when it's not broken, they're being protected from a known vulnerability.The developer attempted to explain how to copy the files to a local iis instance, which I highly doubt is running on the users machine, and I do not consider this to be a viable explanation.
Remark from editor: Op miss-classified actionscript as javascript.I am new to Javascript and am confused by the following function declarations in ECMAScript.js2.
public class String extends Object { ... public native function charAt(pos:Number):String;
With all the recent hype about JavaScript and HTML5 replacing Flash, I wanted to know - How would it be possible to protect client-side js code? Of course, it is possible to obfuscate it, but that would only make it a little harder. Also, for games which submit high scores to the server, wouldn't it be incredibly easy to modify those scores before they are sent to the server? I know even Flash files can be decompiled, but they can be obfuscated and flash decompilation is not as easy as modifying data in JS - could be done easily using a plugin such as Firebug. I'd like to know everyone's views on this.
i need to share a preview banner to my cliend , but i want to evite the decompile risc. The cliend may decomple my banner and stole it . I need a safe way to do it .
I have a swf hosted at domain A, and I have a html at domain B My swf is able to be loaded from accessing the html at domain B. However, the swf gets a SecurityError: Error #2060: Security sandbox violation:
I mixed a.com and b.com in my original post, I'll try to rephrase stuff correctly:
A HTML page is loaded from a.com The HTML embeds a Flash client from b.com HTML contains a Javascript function that makes a connection to a.com, ie the origin of the HTML, not the origin of Flash The Flash calls that Javascript function
Question: Do I need to have a crossdomain.xml in a.com?
We've just developed a small Facebook puzzle that people win some gifts from our customer. I'd like to ask a few questions since I'm pretty stuck despite tried lots of things. First I'd like to write what we have and then will explain our problems.oot of application (/) checks for signed_request in POST params, extracts information from it to see if we've registered the logged in user into our database. This checks are also used to understand if the request is sent from Facebook or not to prevent requests coming outside of Facebook. (will write why we want this)Once the application is successfully rendered, Facebook JS API takes place, does its checks and sets the fbsr cookie. We use that cookie information while processing ajax requests to check if the request really belongs to the logged in user (e.g.: scores being sent for a user belong to the logged in user).
We implemented CSRF protection and another protection to check if the requests are POST and more specifically AJAX requests and return 40x if not.nd out that some people seem to take advantage of this bug.One way I thought of is to ignore all requests except coming from Facebook. Since the ajax requests are blocked (cross site) we should have been safe. However this leaded to another problem that, once we redirect users to e.g. leaderboard the signed_request data is lost and our index page returns 40x once the user tries to go back since our application thinks that the user tries to visit our application outside of Facebook.
From what I have gathered, _rotation uses radians?Basically, my initial goal was to make a movieclip rotate towards the mouse. I'm not very good at trigonometry.Using the help files I found atan2 which seemed to be what I needed. A little fiddling got me to this code:
var xDist:Number; var yDist:Number; var angle:Number; onMouseMove = function () {
[code].....
However,the _rotation is opposite what is expected. This is not a problem as I can just flip the movieclip. But really what im here to ask is, please ecplain this code for me? I don't correctly understand how atan2 works.. and why it needs to be *60.Basically: How to get a movieclip to rotate towards the mouse.. and why does the code work, I want to learn trigonometry.
I was wondering if there is any easy tool to use in order to create a start up video? I know there is the Adobe After Effect option, which is extremely expansive.
any tool that allows you to create an animation, easily? for a startup site, a video that explains what the startup do?
I am doing a project on an interactive website that contains flash animations. I have to incorporate a voice that explains what is happening in the animations. I am using my own voice for this. I have recorded my voice and saved it as .mp3 files. between each animation there are about 6-10 audio files. I am pretty sure I can import the sounds into the flash library and drag the sounds on the timeline and sync the sound with the animations that way but is it possible to control the sound using actionscript as I have to incorporate buttons that allows the user to play, pause and stop the animation and the audio. Or can I only use actionscript to achieve this.
I have a software project, which involves complex process and calculation. Rather than writing it's logic and business flow in a document, i want it to be explained in some sort of animation visually, which would be easier for some one new to my project.
I am getting a strange problem while I am making my release build swf.The swf is supposed to make some internal server calls and then display the data and also play it.When I make a release build swf and excute it, while making server calls it throws exceptions likeSecurityErrorHandler: [SecurityErrorEvent type="securityError" bubbles=falsecancelable=false eventPhase=2 text="Error #2170: Security sandbox violation:file:///Path to the swf/WebPlayer.swf cannot send HTTP headers to **Method Name to bring data from the server***]And after this nothing can be done as everything depends on the data from the server..I have updated my cross-domain.xml on the server to support the master-only policy file but that also didnt ..My cross-domain.xml is
I haven't fully grasped how the flash security model works, and now I've ran into a problem. I have a base SWF that loads a game loader swf, which in turn loads the actual game.What I'm trying to do is taking a current bitmap snapshot of the running game. This works fine before the loader swf has loaded the game. When the game is loaded, I get a security violation because the game has images pulled from facebook. Is this something that can be solved on my end, or restricted by security in the game swf?
I'm having trouble with an AS3 AMF RemoteObject request that is hosted on App Engine. I have a crossdomain.xml file in the root of the domain, and also one at the remoting endpoint.Here are the contents of the root crossdomain.xml:
Loading the swf file and testing it on my machine works just fine... I think that may have something to do with me having the debugger version of Flash Player. When I push it up to App Engine to make it public, other clients access it and get a Client.Error.MessageSend Channel.Security.Error error Error #2048 url: http:[url].......I am using Flex 4 beta, and the App Engine Python runtime. I have tried full wildcard in the crossdomain, and even accessing the data endpoint at a relative URL so as to avoid this error.
My SWF resides on domain A, is loaded by a web site on domain B and is trying to ping URL (URLLoader.load) on domain C. But I am getting "#2048: Security sandbox violation" .. why? Of course I have read the manual, I saw the security white paper but I do not understand it. Don't you know any blog or such where it is explained for dummies? With lots of examples and maybe a table showing what is allowed and what is not?
I get following error: Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: [URL] cannot load data from 192.168.3.5:4854. at TicTacToe_fla::MainTimeline/TicTacToe_fla::frame1() ". I tryed to solve this problem about 3 hours, but I failed I have the file crossdomain.xml in the same folder like my .swf file on the server with this content:
Can anyone tell me if there are any FREE resources for additional Text Effects for Flash 8 Pro?I've dabbled with the conventional glow, stretch, spin, rotate, blur type of transitions over the last couple of weeks, so now have an appetite to try something new.I've found some tutorials around the net on specific single effects, but would relish finding a small group of add-on effects somewhere!
I try to do the above in a function which is an error handler, I want to remove the sock (socket resource) EI (a reference to ExternalInterface) currentIP (which is just a string) lines (array) commands (array) recieved (string)[code]...
The new Flash 10 player was released. [URL] To get things running you currently need to use the Flex3 sdk. More details are described here: [URL] Click the link on my footer.
I am a web developer (CF and ASP.net) working on a new project. I toyed with flash back around the beginning of Flash MX around the early 2000's. Basically I am looking for direction on this -- I would like to have a small flash movie that displays a collection of pictures with some sort of transition. Ideally, I would like to pull the image paths from a database and rotate through them at some time interval. This seems like something that shouldn't be too difficult - and I am sure it has been done thousands of times - I am surprised I cannot find more information through google searches. Maybe I am not keying on the correct terms!??!? Anyways, If anyone could provide some direction - I am hoping that I can pick it up with a little push. Having not touched flash in 7 or 8 years, I am kind of stuck getting started.
I want to embed all my resources in the SWF but I want to maintain the fexibilty of the xml.So, I want to embed my XML and then embed images bringing them from the embedded xml.
I'm working though the Adobe "Flex in a Week" video training series, and I've reached Exercise 9, which deals with creating a remote service call. Up til this point, the data source and images have been local assets (located in src/assets in my Flash Builder project). I access the room list by this:
private function httpFaultHandler(event:FaultEvent):void{ Alert.show("There was a problem","Error"); }[code]...........
However, when I run the application in the blazeDS container, I get no rooms despite the fact that the room list clearly exists in the deployment directory after running the application:
How can I debug the reason for this failure? The deployment process used by the Flash Builder tool is fairly opaque, and the tomcat instance isn't advertising 404s from Flex apps. Is there logging somewhere, or something, that needs to be turned on?
What resources (books or website/tutorials) are available, that cover game development using pure Actionscript 3 code? By pure, I mean not using Flash CS4 and its timeline, and not using Flex MXML components. Everything done using only Actionscript code.
In another question, I asked about using certain objects of the Flex SDK for simple games, and the consensus was that I shouldn't use it at all, but only Actionscript for a game. Sounds reasonable, but the books/website tutorials that I have found on the subject of games, all use AS3 in the context of Flash CS4. They assume your objects will be movieclips, with timelines, etc.
I realize that you can learn game programming from books in other languages, and/or ignore the Flash aspect of AS3 books. I guess what I'm looking for, is whatever information is specific to AS3, such as best practices for AS3-only games, how to make architectural/design decisions, etc. If it exists, anyway :)
This is sort of a two part question. I'm building a flash image viewer to be a portable age-restricted module (violent video games). Basically, it will load any number of images from a CDN and require the user to enter their birthday before viewing it. Simple stuff. The problem is that, per company policy, we can't allow those images to be directly accessible by any means of sniffing (eg, watching your Resources/Net tab in Webkit/Firebug, or watching XHR if we loaded them that way). So, I'd like to get your opinions about the best way to approach this.
At first I thought to have a server-side script that loads the image (eg via PHP) by passing a var that can be decrypted but with a dynamic salt, eg, using a method that is very unlikely to be discovered (for example, having the salt be embedded throughout the string), but that defeats the purpose of the CDN as all requests would be geolocated to the server.
Then I thought that loading the images via sockets would be a good solution, however, I'm having trouble converting the binary image (after removing the response headers) to a Bitmap.Is there a better way to go about this? I know that realistically it's impossible to completely prevent the content from being linked to (eg someone could screenshot the flash) but my goal is just to take steps on our side to prevent that from happening by native means. Below is the socket code (irrelevant parts removed), if that helps any.
I need to make a Windows application in which, at loading time, I need to play a Flash (.swf) file in WebBrowser. But I can play the Flash file directly from hard disk to WebBrowser control. Here I need to play the .swf file in the Resources folder and load it in WebBrowser control.
