Is Flash Cross Domain useless?

2019-02-16 00:15发布

问题:

I'm trying to play an FLV file located on a remote server ('crossdomain.xml' does not exists in the process) in 3 ways:

  1. From a browser using an SWF player located on some server
  2. From VLC, pointing to the remote file.
  3. Downloading the remote file and swf player - playing it locally

Guess what?

  1. Didn't play the flv
  2. Played like a charm
  3. Played like a charm

Conclusion: Flash's Cross Domain security is useless.

Please tell me where I'm wrong or perhaps I'm just helping someone understand that this security is useless.

回答1:

I wasn't going to write my own answer, because I felt like @jpea had already written the most important things. But it seems like the idea and use of the crossdomain.xml files is still unclear. So here it is:

  1. Cross-site scripting does not refer to accessing media content from other servers, but to an attack method used for roughly 80% of all internet security violations. It can happen in many different ways, but always involves injecting foreign code into a web page (or plug-in content) to make the client behave in a way that was not intended. It might result in an attack on the server later, but the initial problem is always related to vulnerabilities on the client side.

  2. Crossdomain-policy files are the Flash implementation of the so-called "same-origin-policy", an important part in preventing cross-site scripting. Essentially, it is meant to ensure that any content loaded by an SWF must be within the same domain (as opposed to "on the same server") as the original content.

    What does this mean, in practice? It means, for example, that an attacker is not allowed to load your original SWF into an (invisible) enclosing SWF hosted on a different server, and monitor all incoming and outgoing traffic, or capture keyboard events, to steal passwords and such: Violating the crossdomain-policy will cause a security error that stops execution of all ActionScript.

    It does not, however prevent FLV files from being played in some other way - and that is absolutely not what it is intended to do.

  3. Admittedly, there are (more or less easy) ways to get around crossdomain-policy files, for example by using a proxy to channel the SWFs URL requests, so using them will not result in "real" security. But as part of a multi-level security strategy, they do help to raise the bar for attackers.



回答2:

crossdomain.xml is meant as a security measure for the Flash player plugin. An FLV alone isn't the security risk, the player is. In instance #2, you didn't use the Flash player. Instance #3, it's uses the same security that Flash uses in it's IDE (to allow debugging). Instance #1 worked exactly as intended.

crossdomain.xml isn't meant as a DRM sort of security, or to not allow downloading of files. It's meant to disallow unintended domains from using your FLV/F4V from another server (better known as cross site scripting).