Flash跨域没用吗? [英] Is Flash Cross Domain useless?

问题描述

我正在尝试以 3 种方式播放位于远程服务器上的 FLV 文件(进程中不存在crossdomain.xml"):

I'm trying to play an FLV file located on a remote server ('crossdomain.xml' does not exists in the process) in 3 ways:

1. 从使用位于某个服务器上的 SWF 播放器的浏览器
2. 从 VLC，指向远程文件.
3. 下载远程文件和 swf 播放器 - 在本地播放

你猜怎么着?

1. 没玩过flv
2. 玩得很开心
3. 玩得很开心

结论:Flash 的跨域安全是无用的.

Conclusion: Flash's Cross Domain security is useless.

请告诉我我哪里错了，或者我只是在帮助别人理解这种安全性是无用的.

Please tell me where I'm wrong or perhaps I'm just helping someone understand that this security is useless.

推荐答案

我不打算写我自己的答案，因为我觉得@jpea 已经写了最重要的东西.但似乎 crossdomain.xml 文件的想法和使用仍然不清楚.所以这里是:

I wasn't going to write my own answer, because I felt like @jpea had already written the most important things. But it seems like the idea and use of the crossdomain.xml files is still unclear. So here it is:

1. 跨站脚本没有指从其他服务器访问媒体内容，但指的是一种攻击方法，用于大约 80% 的所有互联网安全违规行为.它可以以多种不同的方式发生，但总是涉及将外部代码注入网页(或插件内容)，以使 客户端 以非预期的方式运行.稍后可能会导致对服务器的攻击，但最初的问题始终与客户端的漏洞有关.

1. Cross-site scripting does not refer to accessing media content from other servers, but to an attack method used for roughly 80% of all internet security violations. It can happen in many different ways, but always involves injecting foreign code into a web page (or plug-in content) to make the client behave in a way that was not intended. It might result in an attack on the server later, but the initial problem is always related to vulnerabilities on the client side.

Crossdomain-policy 文件是所谓的same-origin-policy 的 Flash 实现"，防止跨站脚本的重要组成部分.本质上，它旨在确保 SWF 加载的任何内容都必须与原始内容在同一域中(而不是在同一服务器上").

Crossdomain-policy files are the Flash implementation of the so-called "same-origin-policy", an important part in preventing cross-site scripting. Essentially, it is meant to ensure that any content loaded by an SWF must be within the same domain (as opposed to "on the same server") as the original content.

这在实践中意味着什么?例如，这意味着不允许攻击者将您的原始 SWF 加载到托管在不同服务器上的(不可见的)封闭 SWF，并监控所有传入和传出流量，或捕获键盘事件，以窃取密码等:跨域策略将导致停止执行所有 ActionScript 的安全错误.

What does this mean, in practice? It means, for example, that an attacker is not allowed to load your original SWF into an (invisible) enclosing SWF hosted on a different server, and monitor all incoming and outgoing traffic, or capture keyboard events, to steal passwords and such: Violating the crossdomain-policy will cause a security error that stops execution of all ActionScript.

它不会，但是会阻止 FLV 文件以其他方式播放 - 这绝对不是它的本意.

It does not, however prevent FLV files from being played in some other way - and that is absolutely not what it is intended to do.

诚然，有(或多或少)绕过跨域策略文件的方法，例如通过使用代理来引导 SWF 的 URL 请求，因此使用它们不会导致真正的"安全.但作为多级安全策略的一部分，它们确实有助于提高攻击者的门槛.

Admittedly, there are (more or less easy) ways to get around crossdomain-policy files, for example by using a proxy to channel the SWFs URL requests, so using them will not result in "real" security. But as part of a multi-level security strategy, they do help to raise the bar for attackers.

这篇关于Flash跨域没用吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！