1

I am building application in Flash Builder 4.6.

I allow other users to upload and run they own MovieClips inside my app(movie clips loaded by my app). I provide them with an interface to access my app futures.

I am concerned about abusing, so I wish to protect my self from the next scenarios:

  • Browser activities such as redirects or opening links. (Pay attention that they can plant java script code using ExternalInterface.)
  • Crunching the browser by ruining infinite loops:

while(true){ ;// kill browser }

  • Asking the user for unlimited storage permission and feel it with garbage.

Is it possible to protect my app from all that?

4

1 回答 1

1

I don`t think what you want is completly possible.

  • Are you loading all the clips in your application domain or a
    seperated one? This is the first thing I would change. Even if you
    give the extended clip an interface, if it is loaded in the main
    application domain, it has access to everything. We devoloped a bridge to communicate with external clips without the need to implement them in our application domain. Each clip needs to be extending a specific baseclass. The whole communication works with events and the prevent default method.

  • ExternalInterface calls and navigateToURL with javascript access urls should be permitted if you have set the allowScriptAccess to samedomain only. If you have an interface for calling urls, validate the urls before you navigate to them.

  • For the last two items i have no answer or simply no it is not possible.

The whole cross site scripting topic is huge. And when you done some facebook app development you know how difficult it is to meantaine security and usibility for the developers.

于 2012-05-20T10:29:44.777 回答