I've got a crossdomain.xml file which allows SWFs running on only a certain few domains to download resources from my domain. However, one simple way around this is for a user to download the SWF to their local machine, and run it there (i.e. by double-clicking on it within Windows Explorer, not by running through http://localhost). It seems that when this happens, the crossdomain.xml file is ignored.
I understand that in my actionscript, I can do this:
if (Security.sandboxType.indexOf(Security.REMOTE) == -1开发者_Python百科)
// running locally - don't allow
However it is incredibly easy for someone to decompile the SWF and simply remove this line.
Is it possible to do something on the server side to stop a locally running SWF to download from my site? I tried checking the referrer but this field often isn't populated. Does anyone have any other ideas?
Thanks, Matt
You will never be able to completely prevent downloads by using crossdomain.xml
. If the user just copies and pastes the requested URL to a resource into a blank browser window, the mechanism stops working. Also, the mechanism can be cheated by using a proxy. All it does is raise the bar a little, especially when someone tries to use an SWF video player to stream an FLV video hosted on your site.
If protecting your resources is worth the effort, you should consider adding some sort of authentication / authorization mechanism and/or encryption.
Double Clicking and running a SWF will usually only work if you have a stand alone player installed, otherwise it will open w/ a browser. Does Adobe distribute a stand alone player outside of Flash Pro? They didn't used to, although with Flash Platform Tools growing, they may do so now.
Nevertheless, I would expect most users will not have a stand alone player installed. In terms of security and protecting content, I suspect you're focusing on the wrong thing.
精彩评论