Security changes in Flash Player 8

Document directory

• Local Sandbox

Security changes in Flash Player 8

Local Sandbox

This section describes various local sandboxes for SwF placement.

Permission

Flash Player defines the following permission types for local files:

• Read locally.This permission applies to local SWF for the file system, but not to local SWF for the network. It includes loading data from an external file to an ActionScript variable. The data here comes from a file located in the local file system. An example of local URL format is given in the previous section "What is affected. The affected data loading operations are as follows:

  • XML. Load, XML. sendandload
  • Loadvars. Load, loadvars. sendandload, loadvariables, loadvariablesnum, movieclip. loadvariables
  • Import components from another SWF Library

• Network transmission.This permission applies to local SWF for the network, but not to local SWF for the local file system. This permission includes sending data or requests to an Internet location or an HTTP server. This includes the following operations used with non-local urls:

  • XML. Load, XML. Send, XML. sendandload
  • Loadvars. Load, loadvars. Send, loadvars. sendandload, loadvariables, loadvariablesnum, movieclip. loadvariables
  • Xmlsocket. Connect
  • Netconnection. Call (flash remoting)
  • Import components from another SWF Library
  • Geturl, movieclip. geturl
  • Loadmovie, loadmovienum, movieclip. loadmovie, movi1_loader. loadclip
  • Sound. loadsound

• Network read.The local SWF used by the network can be used to send packets over the network. Some network sending operations are one-way operations, and only send data without returning a reply. However, other network sending operations can receive a reply request. The latter operation is calledNetwork readOperation: the superset of the network sending operation. Although you need to obtain permissions from the original data domain, the local SWF for the network will still try to read the network. The following operations use a non-local URL:

  • XML. Load, XML. sendandload
  • Loadvars. Load, loadvars. sendandload, loadvariables, loadvariablesnum, movieclip. loadvariables
  • Xmlsocket. Connect
  • Netconnection. Call (flash remoting)
  • Import components from another SWF Library

• SWF-HTML.This includes operations that allow SWF files to process HTML file scripts, and vice versa. Because security patterns between Flash Player and Web browsers may not match, in the three local sandboxes, only trusted local files have SWF-HTML permissions. These operations include:

  • Operations from SwF to HTML:

    fscommand
    getURL("javascript:...")
    ExternalInterface.call
    

  • Operations from HTML to SwF:

    Javascript API * (setvariable, gotoframe, etc)
    Call the callback created using externalinterface. addcallback

Select SWF to the local sandbox for network use

If this sandbox containsUsenetwork, Then the local SWF will be placed in the sandbox. Although the tag only makes sense for Flash Player 8 and later versions, it can still be placed in any version of SWF. This tag can be created in either of the following ways:

• When publishing from flash 8, in the "Release Settings" dialog box, select the flash tab and find the "local playback Security" option at the bottom, select "only access network" (see figure 1 ).

  Figure 1.Set local playback security for network access only

• If you do not have flash 8 or want to use SWF after release, you do not have to re-release them, but you can use flash local content Updater, it is a free command line utility available for download on macromedia.com. Local content Updater can add, delete, or check usenetwork tags operated on one or more SWF files. Local content Updater can be used in windows, Mac OS X, and Linux, and can also be used as source code.

Note: The usenetwork tag does not affect the SWF loaded over HTTP (these tags are always placed in the remote sandbox) or place the SWF in the Local Sandbox trusted by the user (they are always placed in the trusted local sandbox ). The usenetwork tag only affects the SWF that is placed in the local sandbox for file systems in other ways.

Configure the file to a trusted local sandbox

If a local SWF (or HTML file) is placed in the local configuration of the user and specified as a trusted local path, the local SWF (or HTML file) will be placed in this sandbox. If the path or directory to a separate file is trustable, all the files in each selected directory and any of its subdirectories are trustable. Trust assignment can be completed in two ways:

• Set the manager.You can access the security panel of the settings manager and manually add, edit, or delete trusted paths in the list (see figure 2 ).

  Figure 2.Security Settings in Flash Player settings Manager

• You may also use the "Ask/allow/deny" option in the Panel to make how Flash Player processes the old SWF (SwF for local file systems in versions 7 and earlier) global decision. The default value here is "Ask". In addition to displaying the warning dialog box, it will discard any operation that has been disabled. If "Always allow" is selected, operations that are prohibited are allowed to continue. Therefore, the default action of Flash Player 7 is returned. However, this setting does not affect SWF of version 8 or later. It only affects the content that has been developed before newer local rules are generated. Selecting "always deny" will cause all operations that have been disabled to fail and the dialog box is not displayed.

  Note:The query/allow/deny option not only manages the local security prompt situation, but also manages the precise domain match prompts that have occurred since Flash Player 7.

• Flashplayertrust configuration file.These are simple text files that list trusted paths. These files are created in executable installation steps. When the installer installs SWF on your computer, it can install a trusted configuration file and specify that SWF is trusted. When this practice does not show that the user explicitly decides each trusted SWF, the user has been implicitly given trust by running the installer, after all, it is an executable program. Flash Player can identify the trust configuration files in the following two locations: the locations that affect all users on the computer and the locations that only affect the current user. All user locations require management permissions at the operating system level. These locations are as follows:

  • All Windows users:

    <System › \ macromed \ Flash \ flashplayertrust

    (For exampleC: \ winnt \ system32 \ macromed \ Flash \ flashplayertrust)

  • Single Windows User:

    <Application Data › \ Macromedia \ Flash Player \ # security \ flashplayertrust

    (For exampleC: \ Documents and Settings \ Fred \ Application Data \ Macromedia \ Flash Player \ # security \ flashplayertrust)

  • All Mac OS users:

    <Application support ›/Macromedia/flashplayertrust

    (For example/Library/Application Support/Macromedia/flashplayertrust)

  • Single Mac OS User:

    <Application Data ›/Macromedia/Flash Player/# Security/flashplayertrust

    (For example/Users/Fred/library/preferences/Macromedia/Flash Player/# Security/flashplayertrust)

These locations are directories, not a single file. You can install any number of configuration files in these directories. Flash Player reads all the files found. The configuration file cannot be placed in the subdirectory of flashplayertrust; it must be directly placed in the directory of flashplayertrust. Independent configuration files can be named at will. To avoid naming conflicts, the installer should name these configuration files in a product-specific manner. The flashplayertrust directory does not necessarily exist in any given system, so the installer needs to create them.

The syntax of these files is simple: they contain any number of local paths, one in each line. Spaces and empty rows are allowed. It can contain comments with # characters. These comments are located at the end of a line. No quotation marks are required for paths that contain spaces (otherwise, the problem may occur ).

These files contain File System paths, which may contain non-ASCII characters on some users' computers. Therefore, the text encoding used in the flashplayertrust file is very important. Flash Player looks for Unicode byte order markup characters at the beginning of these files, recognizes UTF-8 and UTF-16 byte order markup, and correspondingly treats the rest of the files as UTF-8 or UTF-16. (For example, Windows notepad and Mac textedit can be used to write Unicode text files containing these byte-ordered markup characters. Many other text editors can also .) If Flash Player does not find the byte-ordered markup character at the beginning of the flashplayertrust file, it will use the current "code page" of the Computer (local encoding by default) to interpret the file.

HTML sandbox

We usually mention SWF placed in the sandbox, and Flash Player also places HTML files in the sandbox to control SWF-HTML interaction operations. The local HTML file has only two sandboxes: Trusted sandbox and untrusted sandbox. By default, local HTML files are untrusted and can be specified as trusted in the same way as SWF. The Sandbox of the local HTML file is only important for processing the HTML-to-SwF script (for example, using the Flash Player javascript API ).

Determine the SWF sandbox

SWF determines its sandbox type by using the following read-only ActionScript properties:

System. Security. sandboxtype

This property has one of the following four string values:

• "Remote"
• "Localwithfile"
• "Localwithnetwork"
• "Localtrusted"

Local Sandbox behavior for file systems

SWF in the sandbox for use by the local file system can perform local read operations, but does not perform network send or SWF-HTML operations.

If you use the debug version of Flash Player and connect it to the debugger In Macromedia Flash, when SWF in the sandbox tries an operation that has been disabled, you will see the diagnostic information on the output panel that describes the failed operation.

A security warning dialog box is displayed when a user plays a SwF with a published version of 7 or earlier in this sandbox and tries an operation that has been disabled, indicates that the content may have been suspended as scheduled due to changes to the local security rules of Flash Player 8 (see figure 3 ).

Figure 3.Security dialog box that reminds users of stopped operations

This dialog box appears at most once each time you run the program. Subsequent operations will not trigger it, but will fail without any prompts.

No matter what operations the user takes in the dialog box, the Operation will fail. However, if you click the "set" button, a new window showing the settings manager is opened. Here, you can trust the local content that has been disabled. If you select the "add location" command in "Settings manager" and view "Flash Player settings manager" in Figure 2 in a short time ", the prompt that the local SWF path has been disabled is displayed (see figure 4 ).

Figure 4.Use the "tip" prompt to specify a trusted location

You can choose to copy the path to the "trust this location" text box to trust a single SWF that can trigger this dialog box. Sometimes this is enough. However, sometimes an application is composed of multiple files and it is necessary to trust multiple files to make the application run as scheduled. (For details, see the following section about media collaboration .) Therefore, you must test to trust multiple files or include the complete directory of SwF that can trigger this dialog box.

If you make changes in the "Settings manager", you must restart the original application (usually by refreshing the browser) before the changes take effect ).

The preceding workflow is explained to the end user in the security panel document of the Setup Manager. To obtain step-by-step instructions on trusting local content, you can also access the Technical Instructions: how to make the local Flash content communicate with the Internet? *.

Flashauthor. cfg

For end users, the local security warning dialog box only displays SWF versions 7 and earlier. This dialog box allows you to fix content earlier than Flash 8 affected by the new local security rule.

However, for the author of the Flash content, the security warning dialog box may be a useful indicator of the cause of failure. The author wishes to be notified immediately when any version of SwF attempts to be prohibited by local security rules.

To support this requirement, a variety of Macromedia creation tools (including Macromedia Flash 8) have been installed named flashauthor. the cfg file, indicating that Flash Player displays a warning dialog box when any SWF (regardless of any version) used by the local file system performs a forbidden operation. And any user can create this file freely. You can place the file in either of the following two locations, each of which is at the same level as the flashplayertrust directory:

• All Windows users:

  <System › \ macromed \ Flash \ flashauthor. cfg

  (For exampleC: \ winnt \ system32 \ macromed \ Flash \ flashauthor. cfg)

• Single Windows User:

  <Application Data › \ Macromedia \ Flash Player \ # security \ flashauthor. cfg

  (For exampleC: \ Documents and Settings \ Fred \ Application Data \ Macromedia \ Flash Player \ # security \ flashauthor. cfg)

• All Mac OS users:

  <Application support ›/Macromedia/flashauthor. cfg

  (For example/Library/Application Support/Macromedia/flashauthor. cfg)

• Single Mac OS User:

  <Application Data ›/Macromedia/Flash Player/# Security/flashauthor. cfg

  (For example/Users/Fred/library/preferences/Macromedia/Flash Player/# Security/flashauthor. cfg)

There is currently only one identifiable command in this file:

LocalSecurityPrompt=Author

When you decide whether to display the warning dialog box in Figure 3, this command can cause Flash Player to ignore the SWF version.

Flashauthor. cfg can also contain spaces and comments indicated by # characters. The comments extend until the end of the row.

If you want to develop SWF content that is played as a local file,LocalSecurityPrompt=AuthorThe command may not meet your needs because it prevents Flash Player from completely simulating the behavior of the end user. You can change the content of flashauthor. cfgLocalSecurityPrompt=AuthorOther content to disable the behavior specified by the author. For example, you can comment out the line above or change it to something that is easy to understand, such:

LocalSecurityPrompt=User

Note that Macromedia Flash 8 will install flashauthor. cfg in both locations of all users and a single user. When flashauthor. cfg is displayed at both locations, Flash Player cash copies at a single user location, so make sure to edit a single user file.

Local Sandbox behavior for network use

SWF in the local sandbox for network use can perform network sending operations, but cannot perform local read or SWF-HTML operations.

If you use the debug version of Flash Player and connect it to the debugger in flash, when the SWF in the sandbox tries a disabled operation, you will see the diagnostic information on the output panel that describes the failed operation.

The SwF in this sandbox does not display the security warning dialog box, because the generated content does not exist before the local security rule is changed, but still exists in the local sandbox for the network. From the end user's perspective, all operations in this sandbox that are prohibited will fail without any prompt.

The local SWF used by the network can be used to send packets over the network. Some network sending operations are one-way operations, and only send data without returning a reply. However, other network sending operations can receive a reply request. The latter operation is calledNetwork readOperation: the superset of the network sending operation. An example of network read operations isXML. Load ("http://mysite.com/data/schedule.xml "). Allows the local SWF used by the network to try network read operations. However, to comply with the global permission principle of Flash Player, so that the local SWF for network use can load data from a given domain, this domain must provide a policy file *, this file authorizes all domains to read relevant data and declarations<allow-access-from domain="*" / › . In the preceding example, mysite.com must be in the default location (Http://mysite.com/crossdomain.xml) Or close to the required data (Http://mysite.com/data/crossdomain.xml. In the latter case, in order to notify Flash Player of a non-default location of the policy file, the loaded SWF needs to call the following file:

System.security.loadPolicyFile("http://mysite.com/data/crossdomain.xml")