Flash访问https资源时会发生什么？ [英] What happens when Flash accesses an https resource?

问题描述

如果位于 http://example.com/test.swf 的swf请求 https://secure.com/webservice.xml ，会发生什么？ Adobe关于跨域策略文件的文档记录了安全属性。

If a swf located at http://example.com/test.swf makes a request to https://secure.com/webservice.xml, what happens? Adobe's documentation on cross domain policy files notes the "secure" attribute.

安全：[仅限HTTPS和套接字，
可选]指定是否只授予来自HTTPS文档的

指定的来源（true）或来自指定来源的所有
文件
（false）。如果
中未指定安全性HTTPS策略文件，则默认为
true。建议在HTTPS策略中使用false
文件，因为
会损害
HTTPS提供的安全性;例如，允许
中间人攻击获得
访问受
保护的HTTPS数据的策略文件。

secure: [HTTPS and Sockets only, optional] Specifies whether access is granted only to HTTPS documents from the specified origin (true) or to all documents from the specified origin (false). If secure is not specified in an HTTPS policy file, it defaults to true. Using false in an HTTPS policy file is not recommended because this compromises the security offered by HTTPS; for example, allowing man-in-the-middle attacks to gain access to the HTTPS data protected by the policy file.

这是否意味着Flash播放器实际上会发出HTTP请求，而不是HTTPS？是否存在对从非安全域提供的.swf文件不太信任的假设的问题？如果Flash播放器发出正确的SSL请求，我看不到其他中间人漏洞来自哪里。如果没有，我必须认为Web服务器可能会被配置为拒绝它。

Does this mean the Flash player will actually make an HTTP request, rather than HTTPS? Is the issue that there's a presumption of less trust for .swf files being served from a non-secure domain? If the Flash player makes a proper SSL request, I don't see where the additional man-in-the-middle vulnerability comes from. And if it doesn't, I have to think the web server would probably be configured to reject it.

推荐答案

不。如果将属性 secure 设置为 false Flash应用程序将不会生成 http 请求。它将通过 https 发出 https 请求来源。但主要的想法是，此属性设置为 false 允许Flash与其他 http 资源建立连接。在这一刻，可以制造中间人攻击。想象一下情况。您的Flash应用程序从 https 加载一些文档，并使用它的api在某个Web服务器上处理它们，但是通过 http ，没有安全，连接。从 https 加载的数据将通过简单的 http 由Flash传递到Web服务器。如果您将安全属性设置为 true ，这将告诉Flash来自 https 要求安全。并且Flash不会再从那时起做出简单的 http 请求，因为来自 https 的数据可能已插入此程序算法不安全请求。

Nope. If you set attribute secure to false Flash application wouldn't make an http request. It would make https request to source that is published through https. But the main idea is that this attribute set to false allows Flash to make connections to other http resources. "Man in the middle" attack could be made in this moment. Imagine situation. Your Flash application loads some documents from https, and process them on some web server, using it's api, but through http, not secured, connection. Data that was loaded from https would be passed by Flash to web server through simple http. If you set secure attribute to true this will tell Flash that documents from https require security. And Flash would not make simple http request from that time anymore, because data from https could be probably been inserted in this not secure requests by program algorithm.

这篇关于Flash访问https资源时会发生什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！