Flash Persistence: one more try

By David on December 2, 2005 12:18 PM | 4 Comments

[Update: this may be a false alarm. See how I resolved the problem.]

I'm still trying to find a workaround to the Flash persistence security hole that opens up when you script your flash movies from JavaScript.

What I want to try now is to code my ActionScript so that it compares the URL of the Flash movie of which it is a part (something like _root.movieClip._url) to the URL of the web page in which the movie is embedded. If they are not the same, then the actionscript knows that it is being hotlinked, and can refuse to return any persistent data.

My problem is that I don't know the ActionScript programming environment or API well, and I can't find a way to find the URL of the document in which the movie is embedded. It seems like there ought to be a way, but I don't know...

Anyone know how to do it?

Categories:

4 Comments

Bob Ippolito | December 2, 2005 12:57 PM

The only way to get the URL of the current page is to call back into the JavaScript and get that value back into Flash. That requires some serious hackery (e.g. Flash-JavaScript Integration Kit) or a dependency on Flash 8 (it has an API for Flash-JavaScript communication).

David Flanagan | December 2, 2005 2:08 PM

Thanks Bob. This is bad news. I'm not concerned about the ActionScript-JavaScript hackery. I've started to get used to that.

Hackery or not, it isn't secure: I'm sure that the client-side JavaScript could returned a spoofed URL.
If you are correct, a Flash movie has no way of knowing for sure what page it is embedded in. It can't detect hotlinking and refuse to run.

Geoff | December 2, 2005 2:33 PM

You could have the Flash movie 'call home' when it loads, and use a server side script to check the referrer of the request (should be the page the movie is on) and return true or false depending on where the request comes from.

David Flanagan | December 2, 2005 2:53 PM

Geoff,

That's sneaky. Sounds like it might work. But if the solution is that heavy-handed, it is probably too much for my immediate needs...

I just have a hard time accepting that there is not a trivial ActionScript property that holds the URL of the containing document! What were they thinking? This seems like a very relevant and useful thing to be able to determine...

In a Java applet, you call applet.getDocumentBase() to get the URL of the containing document. I want something just like this for Flash

Books

Comprehensive coverage of Ruby 1.8 and 1.9

"The New Most Important Ruby Book"
Peter Cooper,
rubyinside.com

Completely updated for Ajax and Web 2.0

"A must-have reference"
Brendan Eich,
creator of JavaScript

The classic Java quick-reference

About

About David Flanagan

Advertising

Pages

Syndicate

Hosted By

Green Web Hosting! This site hosted by DreamHost.

Search Blog Entries

Monthly Archives

Categories

Powered by Movable Type 4.21-en