As you might know, browser's security model does not allow a script loaded in a page from http://www.example.com to make cross-domain requests (no AJAX calls to any other domain other than www.example.com). The Javascript file itself could have been served from a different domain altogether (www.javascript.com/myscript.js) and that is irrelevant. This is the Same-Origin Policy.
Flash also has something similar? But does Flash treat the origin to be the HTML page where the .swf file was loaded or origin is the domain which served the .swf file?
So http://www.example.com loads a开发者_如何学Go .swf file from http://www.swf.com/myflash.swf. Now .swf can load resources only from www.example.com or only www.swf.com? I'm assuming there are no cross-domain.xml files setup on either example.com or swf.com.
I think, this article explains a lot about the problem you mention: http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html
From there:
For website owners, all user-supplied content should be served from a completely separate domain. This is already implemented by Yahoo mail, Hotmail, Wikipedia, and many other major websites, but a huge variety of self-contained web applications do not do so (and if I can, for example, upload a malicious file to "apiwiki.twiitter.com", I can perform cross-subdomain cookie attacks). A partial solution was made possible by Flash 10,0,0,2: SWF files served with a "content-Disposition: attachment" header will not execute when embedded in a web page. If all user-generated content is served with this header (not a bad idea in any case), it may limit your exposure, but this is not a very robust solution.
It sounds like if you serve the content from a different domain and there are no cross-domain policy files, then flash cannot access files from your main server.
Also, this article: http://supergeekery.com/index.php/geekblog/2009/12 states that
And everything I write should be able to trust each other and share with each other. You may wonder if Flash Ads are a problem. Do they have this problem? No, there are Flash ads all over the internet, but since they are almost never hosted on the same server as the domain you’re visiting, they don’t get to access the data the web site’s primary code’s data. Cool.
精彩评论