Flash security features, Publishing secure flash documents – Adobe Flash Professional CS3 User Manual
Page 440
FLASH CS3
User Guide
434
A browser that receives the correct MIME type can load the appropriate plug-in, control, or helper application to
process and properly display the incoming data. If the MIME type is missing or not properly delivered by the server,
the browser might display an error message or a blank window with a puzzle piece icon.
•
If your site is established through an Internet service provider (ISP), ask the ISP to add this MIME type to the
server: application/x-shockwave-flash with the .swf extension.
•
If you are administering your own server, see your web server documentation for instructions on adding or
configuring MIME types.
•
Corporate and enterprise system administrators can configure Flash to restrict Flash Player access to resources in
the local file system. Create a security configuration file that limits Flash Player functionality on the local system.
The security configuration file is a text file placed in the same folder as the Flash Player installer. The Flash Player
installer reads the configuration file during installation and follows its security directives. Flash Player uses the
System object to expose the configuration file to ActionScript.
With the configuration file, disable Flash Player access to the camera or microphone, limit the amount of local
storage Flash Player can use, control the auto-update feature, and block Flash Player from reading anything from the
user’s local hard disk.
For more information about security, see System in ActionScript 2.0 Language Reference.
Flash security features
Publishing secure Flash documents
Flash Player 8 and later contain the following features that help you ensure the security of your Flash documents:
Buffer overrun protection
Enabled automatically, this feature prevents the intentional misuse of external files in a Flash document to overwrite
a user’s memory or insert destructive code such as a virus. This prevents a document from reading or writing data
outside the document’s designated memory space on a user’s system.
Exact domain matching for sharing data between Flash documents
Flash Player 7 and later enforces a stricter security model than earlier versions. The security model changed in two
primary ways between Flash Player 6 and Flash Player 7:
Exact domain matching
Flash Player 6 lets SWF files from similar domains (for example,
www.adobe.com
and
store.adobe.com
) communicate freely with each other and with other documents. In Flash Player 7, the domain
of the data to be accessed must match the data provider’s domain exactly for the domains to communicate.
HTTPS/HTTP restriction
A SWF file that loads by using nonsecure (non-HTTPS) protocols cannot access content
loaded by using a secure (HTTPS) protocol, even when both protocols are in exactly the same domain.
For more information about ensuring that content performs as expected with the new security model, see Under-
standing security in Learning ActionScript 2.0 in Adobe Flash.