'crossdomain'相關日誌共 2 篇

  1. 2008/06/10 crossdomain.xml server timeout 或沒被allow的EVEN處理
  2. 2007/10/02 AS3 安全性測試-雜記

crossdomain.xml server timeout 或沒被allow的EVEN處理

Flash常見問題&教材 2008/06/10 10:46
在flash 妳要跨網域做loadVars flash Player ㄧ定會去問crossdomain.xml若問不過  AS2 沒有任何EVENT會觸發跟你說現在是什麼情形...Orz

但AS3雖然有onSecurityError但該DOMAIN只要第一次被觸發這個EVENT之後,flash Player就不會去問這個DOMAIN了,會在client端(flash Player)就擋掉所有DOMAIN的request,包含security.loadPolicyFile也是,所以你若是crossdomain.xml server timeout 你真的只能重LOAD頁面,不過若SERVER可以搭配reWrite讓flash Player以為你是訪問不同的DOMAIN那就有解了

作法:
AS:

var URLarr:Array=new Array("otherdomainA.im.tv", "otherdomainB.im.tv", "otherdomainC.im.tv");
var idx=0;

function loadXML(){
   var srt = URLarr[idx]+"/aa.txt";
   var my_lv:LoadVars = new LoadVars();
   my_lv.onLoad = function(success:Boolean) {
      if (success) {
        myHtml.text = this.toString();
        clearInterval(IntNum);
      } else {
        trace("Error loading/parsing LoadVars.");
      }
   };
  my_lv.load(srt);//這一行會觸發檢查http://otherdomain.im.tv/crossdomain.xml
  idx++
}
var IntNum = setInterval(loadXML, 1000);

server的rewrite
設成若request為
otherdomainA.im.tv, otherdomainB.im.tv, otherdomainC.im.tv 都轉導為otherdomain.im.tv(flash吃轉導(304)的content)
top
TAG crossdomain, 安全性
Trackback 0 : Comment 0

Trackback Address :: http://diary.tw/allenliao/trackback/516

Write a comment

AS3 安全性測試-雜記

ActionScript3.0 2007/10/02 07:40
測式範例說明:
從A.com載Q.JPG及Q.SWF回B.COM
下載完成後
你企圖用Event.target.content.width去改變大小,Q.SWF會有安全性限制的警告
Q.JPG任人宰割(前提是A.com/crossdomain.xml要allow B.COM)

結論:
LOAD SWF 和 JPG(不做編輯存取)是沒有限制的,怎麼LOAD都可以!

a.LOAD圖片後編輯只要圖片的機器crossdomain.xml有allow 就OK
b.LOAD SWF後編輯SWF的機器有沒有crossdomain.xml都沒差,但被編輯的SWF需要下System.Security.allowDomain("*")
c.LOAD XML或存取像ASP這種SERVER SCRIPT 需要文件上的機器crossdomain.xml有allow 方可存取
d.不同DOMAIN的SWF要使用 LocalConnection,偵聽的SWF需要使用 LocalConnection.allowDomain() 方法,授予 傳送的SWF 傳送的權限,

觀念:
來自網際網路的資源 (包括 SWF 檔) 分類置入不同的安全執行程序中,這些程序會分別對應於這些資源之來源網站的原始網域>>也就是說一個網域一個安全執行程序(sandbox)


參考:

  • You can load content from any accessible source. (除了文件隨你怎麼LOAD都可以)
  • Loading is not allowed if the calling SWF file is in a network sandbox and the file to be loaded is local.(網路上的SWF不可以LOAD LOCAL端的檔案)
  • If the loaded content is a SWF file, it cannot be scripted by a SWF file in another security sandbox unless that cross-scripting arrangement was approved through a call to the Security.allowDomain() method in the loaded content file. .(LOAD 外部DOMAIN的SWF檔案時,被LOAD的SWF檔不能被LOAD他的SWF控制(改大小、呼叫變數函數等等),除非被LOAD的SWF有呼叫Security.allowDomain() 這行指令來允許cross-scripting)
  • SWF files written in ActionScript 1.0 or 2.0, which are loaded as AVM1Movie objects, cannot cross-script SWF files written in ActionScript 3.0, which are loaded as Sprite or MovieClip objects. You can use the LocalConnection class to have these files communicate with each other. (若被LOAD的SWF是用AS2或AS1寫的,則無法cross-scripting,若要溝通需靠LocalConnection 才能完成)
  • If the loaded content is an image, its data cannot be accessed by a SWF file outside of the security sandbox, unless the domain of that SWF file was included a cross-domain policy file at the origin domain of the image. (若LOAD 外部DOMAIN的圖片檔案,而想存取該圖片的資訊(EX:做遮罩)除非該圖的機器的crossdomain.xml allow LOAD檔的SWF的DOMAIN)
  • Movie clips in the local-with-file-system sandbox cannot cross-script movie clips in the local-with-networking sandbox, and the reverse is also prevented.
  • You can prevent a SWF file from using this method by setting the allowNetworking parameter of the the object and embed tags in the HTML page that contains the SWF content.

  • 對位於不同安全執行程序中的 SWF 檔,偵聽程式必須使用 LocalConnection.allowDomain() 方法,授予傳送者權限。您傳遞做為 LocalConnection.allowDomain() 方法之引數的字串可以包含下列任何項目:精確的網域名稱、IP 位址,以及 * 萬用字元。

     

    • top
    TAG AS30, crossdomain, LocalConnection, 安全性
    Trackback 0 : Comment 0

    Trackback Address :: http://diary.tw/allenliao/trackback/313

    Write a comment

    PREV : [1] : NEXT