On Jul 2, 2010, at 6:04 PM, Maciej Stachowiak wrote: > > Any site which does that has a giant security hole, since Flash can be used > to arbitrarily script the embedding page. It's about as safe as allowing > embedding of arbitrary off-site <script>. If you are aware of sites that > allow embedding of arbitrary off-site Flash, you should alert them to the > potential security risks. For example a social network site that allowed this > would be vulnerable to a self-propagating worm. > > What I have heard before is that sites whitelist specific SWFs or Flash from > specific domains. I'm don't have any first-hand knowledge of how sites > actually do it.
With testing I found at least one site where I can apparently embed arbitrary SWFs. However, this site has per-user domains, so it might be relatively safe. This site also allows me to embed arbitrary content in an <iframe>. Regards, Maciej
