Table of Contents
Advertisement
However, suppose that you want to allow buttons in catalog.swf, served over HTTP, to add
items to the shopping cart in cart.swf, served over HTTPS. To accomplish this, cart.swf calls
allowInsecureDomain()
unintended consequence: Now the hypothetical attacker can alter catalog.swf as it is initially
being downloaded by the user, because catalog.swf is delivered with HTTP and is not tamper-
resistant. The attacker's altered catalog.swf can now script cart.swf, because cart.swf contains a
call to
allowInsecureDomain()
the variables in cart.swf, thus reading the user's credit card information and other sensitive
data. The altered catalog.swf can then send this data to an attacker's server.
Obviously, this implementation is not desired, but you still want to allow cross-scripting
between the two SWF files on your site. Here are two possible ways to redesign this
hypothetical e-commerce site to avoid
Serve all SWF files in the application over HTTPS. This is by far the simplest and most
reliable solution. In the scenario described, you would serve both catalog.swf and cart.swf
over HTTPS. You might experience slightly higher bandwidth consumption and server
CPU load when switching a file such as catalog.swf from HTTP to HTTPS, and your
users might experience slightly longer application load times. You need to experiment
with real servers to determine the severity of these effects; usually they are no worse than
10-20% each, and sometimes they are not present at all. You can usually improve results
by using HTTPS-accelerating hardware or software on your servers. A major benefit of
serving all cooperating SWF files over HTTPS is that you can use an HTTPS URL as the
main URL in the user's browser without generating any mixed-content warnings from the
browser. Also, the browser's padlock icon becomes visible, providing your users with a
common and trusted indicator of security.
, which allows catalog.swf to script cart.swf. This action has an
. The altered catalog.swf file can use ActionScript to access
allowInsecureDomain()
:
security (System.security)
1063
- Quick Links:
- Compiler Directives
Hide quick links:
Advertisement
Table of Contents
Related Manuals for MACROMEDIA FLASH 8-ACTIONSCRIPT 2.0 LANGUAGE
Related Products for MACROMEDIA FLASH 8-ACTIONSCRIPT 2.0 LANGUAGE
- MACROMEDIA DREAMWEAVER 8-EXTENDING DREAMWEAVER
- MACROMEDIA DREAMWEAVER 8-GETTING STARTED WITH DREAMWEAVER
- MACROMEDIA DREAMWEAVER 8-DREAMWEAVER API
- MACROMEDIA FIREWORKS 8-USING FIREWORKS
- MACROMEDIA FLASH 8-DEVELOPING FLASH LITE 2.X
- MACROMEDIA FLASH 8-INTRODUCTION TO FLASH LITE 2.X ACTIONSCRIPT
- MACROMEDIA FLASH 8-LEARNING FLASH LITE 1.X ACTIONSCRIPT
- MACROMEDIA FLASH 8-COMPONENTS LANGUAGE
- MACROMEDIA STUDIO 8-EXPLORING STUDIO 8
- MACROMEDIA DREAMWEAVER 8
- MACROMEDIA FLASH MEDIA SERVER 2-CLIENT-SIDE ACTIONSCRIPT LANGUAGE REFERENCE FOR FLASH MEDIA SERVER 2
- MACROMEDIA FLASH MEDIA SERVER 2-SERVER MANAGEMENT ACTIONSCRIPT LANGUAGE
- MACROMEDIA FLASH MEDIA SERVER 2-SERVER-SIDE ACTIONSCRIPT LANGUAGE
- MACROMEDIA FLASH MX 2004-ACTIONSCRIPT LANGUAGE
- MACROMEDIA 38000382 - Macromedia JRun - Mac
- MACROMEDIA 38028779 - Macromedia Dreamweaver - Mac