Php :: Facebook Proxy Loader Security?
May 19, 2011
I'm using a PHP proxy script to load images from Facebook into Flash without any sandbox violations. It is taken from the guide here: [URL].. The relevant PHP code is:
[Code]...
The guide mentions that additional security measures are recommended for a real world application. What additional measures would be applicable to this? Maybe some kind of key passed from Flash to PHP?
I realise that there's nothing I can do to completely protect the Flash from being decompiled, but can I prevent the script from being used maliciously?
View 1 Replies
Similar Posts:
Dec 28, 2011
We've just developed a small Facebook puzzle that people win some gifts from our customer. I'd like to ask a few questions since I'm pretty stuck despite tried lots of things. First I'd like to write what we have and then will explain our problems.oot of application (/) checks for signed_request in POST params, extracts information from it to see if we've registered the logged in user into our database. This checks are also used to understand if the request is sent from Facebook or not to prevent requests coming outside of Facebook. (will write why we want this)Once the application is successfully rendered, Facebook JS API takes place, does its checks and sets the fbsr cookie. We use that cookie information while processing ajax requests to check if the request really belongs to the logged in user (e.g.: scores being sent for a user belong to the logged in user).
We implemented CSRF protection and another protection to check if the requests are POST and more specifically AJAX requests and return 40x if not.nd out that some people seem to take advantage of this bug.One way I thought of is to ignore all requests except coming from Facebook. Since the ajax requests are blocked (cross site) we should have been safe. However this leaded to another problem that, once we redirect users to e.g. leaderboard the signed_request data is lost and our index page returns 40x once the user tries to go back since our application thinks that the user tries to visit our application outside of Facebook.
View 1 Replies
Apr 7, 2010
I am trying to make an external interface call on widgets I am creating to get the domain for in/out of network stats.
[Code]...
From what I am reading an allowscriptaccess needs to be set to always, which I can't do because there isn't embed code that is sent to Facebook during a share so I don't have control over that.
View 1 Replies
Feb 21, 2010
I'm trying to upload images with Uploadify but I run into IO error. I have gotdemo and it works on my computer, so I decided to implement functionality of my application to this example step by step to catch the error and discovered that the reason of IO error is my local proxy.pac (I use FF):
function FindProxyForURL(url, host) {
if (shExpMatch(host, "*.app.local*")) {
return "PROXY 127.0.0.1:3000";
[code]....
View 1 Replies
Oct 25, 2011
I'm trying to display the profile images from both facebook and twitter. For facebook, the URLs I'm receiving are something like this (not actual urls):[URL]... Which is then redirected to the 'actual' url like this:[URL].. I'm also doing this with twitter, with the same issue (redirected url).
So, when I load the image, it loads fine. But when I close the container that the image is in, then I get the security sandbox violation. I can get this all to work if I add the URL from the 'actual' image url like this:
[Code]..
View 1 Replies
Mar 26, 2012
i'm trying to load images from Facebook Albums to my flex app, this is the code called when i click on a FB image:
[Code]...
View 1 Replies
May 3, 2010
I'm writing a simple little test app consisting of 'main.as' and 'test.png', both within the same subdir on my harddrive. I'm compiling via command line with mxmlc, and testing via 'open with...' and Chrome. The code uses flash.display.Loader.load( "test.png" ) - but I can't access the loaded content (or even draw it to a bitmapdata!) due to security exceptions.
My goal is to get the image into something (preferably a bitmapdata!) I can draw to other bitmapdatas, as I understand this is fastest for gaming. I've tried all sorts of things, including creating a 'crossdomain.xml' that goes in the same dir as the above files (and doing the appropriate LoaderContext thing), tried various system.Security things and still no joy.
View 1 Replies
Dec 7, 2009
I have a flash game embedded on Facebook but need access to the flashvars facebook passes to all embedded games. However I am using the mochiads preloader meaning that _root.fb_sig_user is always undefined?How do I get to the variables?stage.loaderInfo.parameters.fb_sig_user
View 1 Replies
Mar 3, 2011
I'm having trouble passing the url for a users facebook profile picture to a Loader() variable. I'm using a PHP file to get around the security and from the debug I made, it shows that I'm getting the URL fine, but the Loader runs the error event listener. Here is what my facebookProxy.php file looks like;
<?php
$path=$_GET['path'];
header("Content-Description: Facebook Proxied File");
[code].....
View 2 Replies
Sep 13, 2011
I try to "catch" this error when I'm loading some images.The following code is an test-case for my problem to secure that there are no errors in the surrounding code.
import flash.events.SecurityError
import flash.display.Loader;
import flash.net.URLRequest;
[code]...
I'm working on an interactiv-movie with many images and movies which are loaded dynamically in the application.In this snipped I generated the worst case in my application (try to load an image that not exits).When I run this code I get the trace "SecurityError: Error #2000: No active security context" and not the trace of my the Listener.
View 1 Replies
Oct 24, 2010
I'm currently building an application using the Adobe Facebook API and I've run into an issue where for the login method the Facebook login popup displays but when doing a Facebook share/post the popup is blocked.
This code works fine and displays me a Facebook login popup without question (Firefox):
var permissions:Array = ['publish_stream'];
Facebook.login( onFacebookLogin, { perms:permissions.join(',') } );
However, the following code running in the same application throws up a popup blocker (again Firefox):
Facebook.ui( "stream.publish", "popup", params );
Does anyone know of a work around this issue to make the share popup come up just like the login popup?
View 2 Replies
May 19, 2009
I am getting a strange problem while I am making my release build swf.The swf is supposed to make some internal server calls and then display the data and also play it.When I make a release build swf and excute it, while making server calls it throws exceptions likeSecurityErrorHandler: [SecurityErrorEvent type="securityError" bubbles=falsecancelable=false eventPhase=2 text="Error #2170: Security sandbox violation:file:///Path to the swf/WebPlayer.swf cannot send HTTP headers to **Method Name to bring data from the server***]And after this nothing can be done as everything depends on the data from the server..I have updated my cross-domain.xml on the server to support the master-only policy file but that also didnt ..My cross-domain.xml is
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*"/>
[code]......
View 5 Replies
Apr 17, 2009
I haven't fully grasped how the flash security model works, and now I've ran into a problem. I have a base SWF that loads a game loader swf, which in turn loads the actual game.What I'm trying to do is taking a current bitmap snapshot of the running game. This works fine before the loader swf has loaded the game. When the game is loaded, I get a security violation because the game has images pulled from facebook. Is this something that can be solved on my end, or restricted by security in the game swf?
View 2 Replies
Jun 1, 2009
I'm trying to determine the practical difference between using the com.facebook.session.WebSession and com.facebook.session.JSSession. The documentation ([URL]) has more around WebSession - but the example I have which is closest to what solution I'm trying to implement uses JSSession and it looks like I could avoid all of the JavaScript pass-through & ExternalInterface calls I'm making. It appears that the benefit of using this new ActionScript Facebook API is to avoid having to make all of the Facebook calls via JavaScript.
View 5 Replies
Mar 13, 2011
I have literally spent HOURS trying to solve this mystery... but simply can't seem to get hold of it.
I am using the same code lines (literally!) as the example here (official adobe tutorial) and I get different result.
[Code]...
Everything works fine, i.e. everything till it is time to fire the loggedin event. I get asked to log in and all permissions are asked correctly. After I log myself in to facebook, the loggedin event doesn't fire. Is there any way of solving this problem??
View 1 Replies
Sep 24, 2009
I am using a Flex widget for my facebook application. How can I get the current user's facebook ID?
View 1 Replies
Jan 13, 2012
i need to connect to have a button on my website that connects to facebook (if not already logged in) and posts to the users wall.I've only done this from within an iFrame - do i still need AppId etc etc?
View 1 Replies
Apr 4, 2012
I have a facebook application where the user choose 4 of his friends and then it creates a video (swf) with the pictures of your friends in it (loaded via xml). So I need to share this video on the user timeline. Everything works fine but the video is not embedded in the post on his timeline, there is only a post with the link to the page in it.The weird thing is, if I post the url directly on my timeline, the video is embedded, but not if the same link is posted via the application.here is my code called by the share button in js :
function postToFeed() {
var obj = {
method: 'feed',[code].........
View 1 Replies
Dec 6, 2011
I've recently used the 'Static HTML' application to add autoplaying flash content to a Facebook Page.Nothing too fancy, no sound, and only a few secs long. Now, Facebook say:-"Apps on Pages must not host media that plays automatically without a user's interaction."
What do they mean by 'Media' exactly? I can understand a ban on autoplaying audio content but does the ban extend to something as harmless as an animated GIF? Or more to the point, does an autoplaying .swf file fall under this?
Lastly, what course of action would Facebook take if I did violate this rule? Would they issue a warning (giving me an opportunity to remove the 'offending' item) or would they just shut down my page without any consultation?
View 2 Replies
Sep 24, 2009
I can't find in the Adobe Facebook API how to log the user out of Facebook. The FacebookSessionUtil (and the related sessions and Facebook classes) all have a .logout() function, which will invalidate the user's current *session* within the swf, but it doesn't log the user out of Facebook.
What am I missing here? How are you supposed to log the user out of Facebook with this API? Since it's part of the TOS for Facebook Connect apps, you'd think this would be available in the API somewhere.
View 0 Replies
Dec 20, 2009
I'm having trouble with an AS3 AMF RemoteObject request that is hosted on App Engine. I have a crossdomain.xml file in the root of the domain, and also one at the remoting endpoint.Here are the contents of the root crossdomain.xml:
<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies ="all"/>[code].....
Loading the swf file and testing it on my machine works just fine... I think that may have something to do with me having the debugger version of Flash Player. When I push it up to App Engine to make it public, other clients access it and get a Client.Error.MessageSend Channel.Security.Error error Error #2048 url: http:[url].......I am using Flex 4 beta, and the App Engine Python runtime. I have tried full wildcard in the crossdomain, and even accessing the data endpoint at a relative URL so as to avoid this error.
View 1 Replies
Apr 29, 2009
My SWF resides on domain A, is loaded by a web site on domain B and is trying to ping URL (URLLoader.load) on domain C. But I am getting "#2048: Security sandbox violation" .. why? Of course I have read the manual, I saw the security white paper but I do not understand it. Don't you know any blog or such where it is explained for dummies? With lots of examples and maybe a table showing what is allowed and what is not?
View 2 Replies
Nov 8, 2011
After I upload a photo on a desktop facebook application i need to store it's post id in a database. From the facebook ActionScript SDK documentation:pi() methodpublic static function api(method:String, callback:Function, params:* = null, requestMethod:String = GET):voidMakes a new request on the Facebook Graph API.Parameters [...]callback:Function — Method that will be called when this request is complete The handler must have the signature of callback(result:Object, fail:Object); On success, result will be the object data returned from Facebook. On fail, result will be null and fail will contain information about the error.
So I implemented my callback function as follows:
protected function handleUploadComplete(response:Object, fail:Object):void{
status = (response) ? 'Success' : 'Error';
[code].....
View 1 Replies
Mar 5, 2008
I get following error: Error #2044: Unhandled securityError:. text=Error #2048: Security sandbox violation: [URL] cannot load data from 192.168.3.5:4854. at TicTacToe_fla::MainTimeline/TicTacToe_fla::frame1() ". I tryed to solve this problem about 3 hours, but I failed I have the file crossdomain.xml in the same folder like my .swf file on the server with this content:
[Code]...
View 7 Replies
Feb 17, 2011
So I need to retrieve XML from a public API, but my app is in Flash and the public service won't implement a crossdomain.xml file. I found this PHP script online (below) for a proxy to request the URL. It works fine for URLs like:
[URL]
but the script seems to either strip or ignore any arguments on the URL, like:
[URL]
I'm PHP ignorant. Is there an easy way to have this script process those URL arguments? Here is the script:
<?php
$post_data = $HTTP_RAW_POST_DATA;
$header[] = "Content-type: text/xml";
$header[] = "Content-length: ".strlen($post_data);
[code]....
View 1 Replies
Aug 18, 2010
Is it possible to use Apache to proxy/tunnel RTMP(S) traffic through to Flash Media Server?Basically, I want to tunnel RTMP traffic using HTTP through Apache.What I want to be able to do is open up an appropriate port (either 80 or 443) on the Apache server and have that proxy traffic through to Flash Media Server. The reason I ask is that I have set-up this scenario but I keep getting a "NetConnection.Connect.Failed" error message; I captured the network traffic flowing between my machine and the server and it is connecting to the server, just nothing happens after that.Do I have to connect directly to Flash Media Server?
View 1 Replies
Aug 23, 2011
How do I get the clientIP from users in my regisrtationforms? It's easy to get the IP with the user isn't using a Proxy, Proxycacade or VPN. But if he uses one of those its difficult. X-Fowarded-For isn't reliable and fails within cascads.
But there are possibilities, because JavaApplets and Flash aren't using the Proxy-Services. How can I archieve to get the clientIP with those technics? I prever to use a small Flash-Code to get the IP from the client, but how to implement?Another way should be a counterpixel which is using IPv6. Most of the proxyservices only support IPv4, can I tell an image only to use IPv6?
View 1 Replies
May 23, 2009
I know I can call my server directly from javascript. However, I want to do this through a non-GUI SWF file. I'm fairly new to Flash but have gotten all the CS3 tools from work. Does anyone know of any examples on:
1. how to make a web request from within flash provided the URL, post content, and timeout
2. how to call a Flash API from javascript asynchronously
3. how to detect whether the browser being used can support my SWF (I don't want it to prompt to install Flash if they don't have it yet)
I'm actually hoping someone has already done this and has a sample already built.
View 7 Replies
Jan 30, 2011
I need ActionScript Proxy to be castable to a particular interface.
Here is an example without interface:
public dynamic class Tracer extends Proxy {
flash_proxy override function callProperty(method:*, ... args):* {
trace(method + " " + args)
}
}
[Code]...
View 2 Replies
Mar 21, 2011
I want to use a proxy on the HTML Control found in Adobe AIR.I have tried looking at the AS3 docs on Adobe but honestly, it didn't explain the usage clearly to me and looking at Adobe's example, I can't seem to make out anything off of it.
View 1 Replies