New projects
I have a couple of projects underway at the moment and will be announcing them via the AllRollOver main page very soon.
Add comment January 26th, 2006
Archive for January 26th, 2006
Flash: cross domain security breech?
I have been looking into cross-site identity - being able to move from one domain to the next yet being recognised at each without having to sign in. This kind of thing is pretty much impossible to do via your typical web-browser due to the domain-security model that has now been pretty-much universally implemented. In particular this model stops cookies from being shared across domains, as well as stopping any tom-foolery with javascript and cross-(i)frame scripting (for example having a frameset open with two web documents from different domains exchanging data).
While thinking about it I had a brain-wave. I can think of a way of doing it. But I dont know if I should be able to do it. What I mean is, I could well be exploiting an oversight hitherto undetected by browser developers. Or maybe its not their bug. Maybe its Macromedia’s. The solution relies on Flash.
You see, as of version 6, it has been possible to persistently store data locally on the client machine via Flash ActionScript. That data is linked to the domain of the movie: only other movies’ from that domain can re-access it. So it is kind of sand-boxed.
But, I wondered, what if a Flash movie from example1.com was embedded in web pages at example2.com and example3.com (just like a lot of those Flash adverts you see). As expected the movie from example1.com still has access to data from that domain. Now, realise that Flash movies can be accessed via Javascript. It would be possible to have a callable ‘getData’ and ’setData’ function. Kind of like a ’stealth Flash cookie’.
Now, this only works if both sites embed the Flash file served from the same location. But its still kind of scary. Many many people (I dont have the figures) have Flash 6+ installed. Many will have Javascript enabled. As far as I can see, there is no indication to the User that local storage of variables is occurring. Who knows if this is happening already…
Add comment January 26th, 2006