Jump to content

Extension talk:Flashlets

Add topic
From mediawiki.org
Latest comment: 17 years ago by Duesentrieb

Hm... I'm not sure how far ActionScript can access the surrounding website... is it possible to read the user's session cookie? Is it possible to load images etc from a different server? If the answer to both is yes, this extension is an invitation for w:Cross Site Scripting attacks. If only one of those is possible, it's not all that bad, but still worrying.

Please check and see... -- Duesentrieb ⇌ 12:02, 1 April 2007 (UTC)Reply

Flash is very crippled specifically so that it can't really contain maliscious code. It can't access files on the local harddrive apart from a sandbox so the script can store data. It can only read files or images from the same subdomain it was served from. --Nad 12:37, 1 April 2007 (UTC)Reply
But can it read cookies from the page that contains it?
Also, "Flash Cookies" are in the news right now... not a security problem by themselves, but something to be aware of. -- Duesentrieb ⇌ 12:59, 1 April 2007 (UTC)Reply
Oh... can getURL("javascript:alert('evil');") be used to run arbitrary JavaScript? That would be... evil... -- Duesentrieb ⇌ 13:08, 1 April 2007 (UTC)Reply