On 11/3/07, Marcelo de Moraes Serpa <[EMAIL PROTECTED]> wrote: > Hmm.. yep, haven't though about the domain restrictions of the player, it > might work! > > @Paul: Afaik, it works like this: When the player downloads a SWF from a > domain, it looks for a crossdomain.xml file that in turns contains rules on > which other domains are allowed to play your SWF files you are serving > through your domain. Please someone correct-me if I'm wrong.
What would keep the attacker from serving the assets from his own domain? Even if you use a full URL, that could be changed easily. The same goes for URL checks from within the SWF, they can be changed. If you rely on techniques like this, don't have the domain name as a string in the SWF. That way it is at least more difficult than just to disassemble, search and replace the domain, and reassemble. This discussion comes up frequently, and I don't know of any method that could prevent a determined knowledgeable attacker from stealing your SWF. The most promising proposal I heard of was to load encrypted assets and use Loader.loadBytes() after decryption, but it's not 100% secure, either. It would raise the bar considerably, though. Mark _______________________________________________ osflash mailing list [email protected] http://osflash.org/mailman/listinfo/osflash_osflash.org
