It is possible to play any external video just by calling:
player.swf?file=http://example.com/pr0n.flv&autostart=1
in the context of any domain which uses the player. Is this behaviour intended? It's a kind of cross site video attack.
Do you have any suggestions how to disable this possibility?
Kind regards,
Thomas
Hi Pablo and Thomas,
I know this is part of the flash security model but that capability can get you dinged on an internal audit, even if the player.swf file is secured behind multiple authentications. I would like to validate the "file" property against a domain name, even if it has to be hardcoded. The query string attack described above is what I would like to block. For normal playback we use rtmpe streaming so whatever we do can't block a streaming playback session. Which .as file manages pulling data from the address bar?
Thanks,
Dave
@Dave -
As I mentioned above, your web server will receive all of the parameters sent to flash as HTTP GET parameters when the SWF file is requested. You can detect undesirable patterns in these parameters in your web server and refuse to return the player SWF.
If you've got your heart set on modifying the player source, Configger.as is the one you want to look into.
@Thomas -
This is actually how parameters are passed into Flash, so it's not possible to disable that functionality entirely. However, you can make sure that player.swf is only loaded from pages on your domain. This restriction would be done in your web server configuration (for example, by using Apache mod_rewrite).