Hello Rob, Thursday, April 26, 2007, 8:08:51 PM, you wrote: RS> Currently the only security in Gnash is a simple whitelist/blacklist RS> of URLs to not load content from. This is more like Adblock, than real RS> security though, but at least it does prevent Flash movies from loading RS> content over the network that you don't want.
Allow me this question: What *real* security risk is there when a Flash movie loads data from wherever it likes? The MM player does not allow loadVariables() from foreign domains, but allows loadMovie() from anywhere. Anyway, I don't see any problem with loading data from wherever you want. If collecting personal data (ie. sending whatever data to a server) is a concern, then you have to block any network connection, *especially* connections to the *same* domain. I mean, if you really want to gather statistics or whatever information from your visitors, then why would you use a foreign server for that? And you can't certainly block the movie's domain as this will break lots of movies / web pages. I, personally, would be happy to have a player that at least tells me what network connections are made by my player (which, at the other hand, can be done easily with MM player + other tools, bzw). Blocking *any* network connection by request is fine, too. But is there really a URL/domain that I should generally add to my blacklist? The discussion is similar to XML loading with JavaScript. Foreign domains are not allowed (again: why?) and this makes it difficult to create some kinds of AJAX applications (you know, WEB 2.0). One workaround is to load whole JavaScript files dynamically. That is allowed for whatever URL you like and, while giving me lots of possibilities as a programmer, imposes a much higher security risk if you ask me as this does not just load data. So, I'm curious about any real security risk scenario involved with loading/exchanging data from anywhere. Udo _______________________________________________ Gnash-dev mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnash-dev
