Comments on: [AS3] Domain Locking SWFs

By: julien

julien — Mon, 09 May 2011 21:23:28 +0000

Hi Matt, Hi all.

Just to let know some readers, decompilation is prevented by obfuscation…

I guess there are pretty good softwares out here that will cost you a good ride for your money if you try to use any kind of decompiler to read the code.

By the way. One other point : if the domain is “ghostwire.com” be carefull not to test it with “^http(|s)://(“+allowedDomains+”)/”;
because the last / is preventing from succes….

Do use “^http(|s)://(“+allowedDomains+”)”; instead or compare with “ghostwire.com/”

By: Matt

Matt — Sun, 09 Jan 2011 23:09:36 +0000

Thanks for the post!

@Josh Strike – My guess is nothing. But that comes down to the age-old question: “what can you do to stop someone decompiling the SWF?” And the answer to that is of course – (basically) nothing.

By: Ian

Ian — Fri, 10 Sep 2010 19:21:59 +0000

One issue I found with your solution is for allowing subdomains is it will also allow domains that end with the same character sequence to pass. Probably not a big deal, but if you use “(|.*[.])” instead of “.*” in front of your domain name it will not allow invalid domains to pass.

For example: .*ghostwire.com will allow notghostwire.com to pass. But (|.*[.])ghostwire.com will only allow the primary domain and subdomains to pass.

By: Julien

Julien — Mon, 03 May 2010 11:28:49 +0000

Damn… I forgot HTML corrector and the code has been eaten.

So again : the following HTML code needs to be applyed if the swf isn’t on the same domain than the page that stand the embed.

param name=”allowscriptacess” value=”always”…

This allows foreign swf to send stuff out to the page. By Default the value is “samedomain”.
++

By: Julien

Julien — Mon, 03 May 2010 11:22:20 +0000

@ Jeffry Houser – I was wondering the same… But I guess there is no really “cross site scripting violation” since the user that embed the swf need to specify the following HTML :

(defaut value is “samedomain”)

I suppose this is the only way to allow foreign swf to send stuff out to the page.

Actually, with this important HTML condition, the piece of code above just works perfect.
Thank you Sunny.

By: happy

happy — Fri, 12 Mar 2010 21:38:12 +0000

@JOSH – SWF Encyption would! The process oulined here should be part of many measure to secure a swf. A combination of asp and client side code would mean that even if you decompile th eswf still cant be viewed.

Nice post

By: Josh Strike

Josh Strike — Sun, 07 Feb 2010 06:07:27 +0000

What stops someone from just decompiling the SWF and commenting out these lines?

By: sunny

sunny — Sun, 03 Jan 2010 01:45:05 +0000

Have you tested yourself? Otherwise, your question smacks of irony, don’t you think so?

; )

By: Jeffry Houser

Jeffry Houser — Sat, 02 Jan 2010 20:05:02 +0000

Have you [or anyone] tested this?

I was under the impression that cross domain issues would prevent a SWF’s ExternalInterface from making calls to a page that was not served on the same domain as the SWF.

Otherwise, I would expect this could be a serious cross site scripting violation.

By: john

john — Fri, 06 Nov 2009 17:27:46 +0000

it is awesome! good job