I have a website where people upload swf files. What kinds of harm can be done from allowing this? Is it possible for a swf to redirect to another website? (It looks like someone may have done this already.) What can be done to prevent this aside from "processing" every entry manually?
Off the top of my head things you need to think about when letting anyone upload a swf to your site:
If the SWF can execute JS on your website, all kinds of crazy things could happen. Be sure that you set the allowScriptAccess param to never where you are embedding the SWF.
You may also want to disable the SWF from going into full screen to prevent phishing type scams
You can even disable networking all together from the SWF. However, this would cripple a fair amount of legitimate content.
Watch out for CSRF-like attacks and make sure your site takes the appropriate security measures.
You can review Adobe's article on FP security for a look at some more issues as well.
Related
I have a client in the music industry who has a new album out. Upon loading the given page of the album record company, I was somewhat surprised to find that it was trivially easy to download the sound from their website, the sound runs in the following source code, in HTML5:
<div class="sqs-audio-embed" data-url="https://...fileserverURL...SD+Master+V2.mp3" data-mime-type="" data-title="title" data-author="author" data-show-download="false" data-design-style="legacy" data-duration-in-ms="761000" data-color-theme="light" id="yui_3_17_2_1_144058079_1116">
<div id="yui_3_17_2_1_149458079_1120" class="yui3-widget sqs-widget sqs-audio-player play-state-stopped ready-state-initialized">
<div id="yui_3_17_2_1_149058079_1122" class="sqs-audio-player-content">
</div>
</div>
</div>
It's an enbedded URL, based on another domain.
So my question is....
How can a sound be played on a website but deny a direct download or a direct link?
My thoughts:
1) I imagine, using something like a custom Content Security Policy on the fileserverURL could do the trick, denying direct access unless the access comes from unless it's the domain name of the record company website (for example).
2) Could an .htaccess request -such as those that block image direct access- also work, with some sort of exception if being played/called via a certain domain or webpage?
Summary:
Mp3 file.
File is on a different URL domain than the website
File can be played on the website but direct links should not be allowed
Unless there's no other way, Javascript would like to be avoided
I have looked at other questions on Stack Overflow but I didn't find any (any!) that related to practical workarounds for the above situation (allow play disallow direct access). The closest I found was this question from 2010 which seems to imply the above can't be done, but I am sure it can (now) be done if the two servers (filehost and website) are set to allow acces to a file if only via the website server acting as a gatekeeper, as in point 1, above.)
Yes, I'm also aware that committed people can copy the sound from the downloaded browser cache (from which the sound is actually played), but I'm not getting too obsessive over this, just, well, a little....
CSP isn't designed for this, it's for the opposite problem: the operator on the site wants to prevent loading content from a different server (you're the operator of the different server and you want to keep most sites from loading your content).
Your second idea should work to solve the problem, as you've outlined. Deep-linking prevention doesn't care if it's an MP3 or a JPEG. It would have to be on the site that's hosting the mp3. Pulling it from the browser or faking the origin are both still trivial.
As painful as it is for me to say this, you should probably be looking Encrypted Media Extensions, for a far more complete (if harder to implement) solution.
i would suggest looking at EME (encrypted media extensions).
here is a tutorial on it https://www.html5rocks.com/en/tutorials/eme/basics/
Disable all the possiblities of users viewing the page source by differnt keys like(ctrl+u,rightclick )
Please don't do this. There is no way to secure the page source since it is required by the client to view your site. Blocking different keys will just lead to bad user experiences. If you want to make it harder to read you can minify your html/js/css but honestly there is nothing so interesting in your page source that you would need to protect it.
If you do have something you need to protect (such as private keys, passwords, etc) then you need to get these out of the page source since there is no way to protect them properly. These things should be kept on the server instead.
Cover the webpage with an Animated screen
I am working a website, and I'm trying to prevent the video file to be downloadable.
I've already prevented the right click function, and I've used a webiste called http://htmlobfuscator.com/ that allows the source code to be very difficult to decipher. The only issue I now have remaining is the inspect element feature on browsers. Does anyone know of any way to prevent this? I know that someone is always going to find a way to download or capture a video, but I'm just trying to limit the spread of my videos.
Thanks for your help,
Stephen
There is no actually way of completely stopping someone, you could however as some have mentioned use something like Vimeo or YouTube to minimize the downloading of your videos, or another way you could do it and have found from personal experience is either creating a login/register on your site to make someone signup to get your video thus minimizing how many can download it or you can encrypt the video with a password, i believe Vimeo has this option which requires someone to enter a password in before even viewing the video.
Yet these are just two ways to Minimize not completely stop.
There is no way to stop a browser's document inspector from finding your file's location. However, I am a recording musician, and I know of a few things you can do to make thieving more difficult.
Put your JS video location in an external file. Not a lot of protection here, but worthwhile enough to add.
Break up the video location into a few different JS variables. Your thief would at least need some basic JavaScript knowledge to get to the video location.
Use an obfuscater, like you did. (I LOVE HTMLObfuscator!)
You could use flash video. This is difficult to download, but slower viewing, and also a bit more difficult to create and host on your website.
The best thing to use is streaming video, but not everyone is able to do that either.
Good luck!
I want to give a user a web application to deploy on their own server. I want to put on an image (advertising) that the user must not be able to hack and remove.
If you give the raw source code (PHP or ASP.NET), they can circumvent your code and remove your logo and etc. You will have to embed your image as a resource (In ASP.NET), and then dynamically load that image to the page using code (C#/VB.NET), and then compile the application, and distribute the binaries.
This way a casual user wont be able to remove. But an experienced user can still decompile your code or view your resource files, and change it.
If you are asking
Can I create ads that ad-blockers won't block?
The answer is: no
If you are asking
Can I force my web application to display an ad from the customers server?
The answer is: Maybe. But it still could be blocked/filtered between their server and delivering it to the client. So, yes, you technically could ensure the ad is served from your application, but that's no guarantee the site visitor will ever see it.
It may make more sense to make it a legal (contractual) requirement, though. It would be a lot less complicated.
I was just wondering what are the pros and cons of using embedded images instead of dynamic loading? Because when making games on pure AS3 (without Flash IDE), its a pain to manually embed all the assets needed... That makes your code sloppy, besides you don't have control to automatically change the hud, for example, by only changing the external file.
But I heard that some sites only let you upload a single swf, so you can't have external images. Also I heard that some are worried about users downloading their art... But as far as I know, and please correct if I'm wrong, they can also download them if they hack the swf with a decompiler. Having it external, you can encrypt the image, and unencrypt it on the code, so if they try to download they will only get encrypted code.
So... What do you think about embedding images? Please share all your thoughts to me.
I believe dynamic loading of images is a better approach. I agree with you about the game problem you stated, but when you are talking of flash/as3 as a whole, games are just one of the things among the many, you do. Also there are a few which also accept multiple files & maybe more will allow later. As of now hosting sites are just being on the safe side by not allowing multiple files & formats. So if you really have additional files you could just host them elsewhere & call them from your main swf.
I however cant agree about the point of making the code sloppy by managing images dynamically. When you do it through an IDE the IDE is writing the code for you, but as you might realize letting an IDE decide what to write doesn't always make the best. Manually handling things let's you understand all entry & exit points of an app. Moreover, would you want to open a flash IDE every time you wish to add an image, make an update, etc.
I usually like to use IDE cause of the awesome tools it provides to make things more efficient & prefer letting the code do all management/control stuff.And yes, if you have many small images (as in online flash games), embedding is better approach.
As far as the security is concerned even externally loaded files can be accessed if the encryption algorithm you use, can be found by decompiling the swf. So your best bet in case of security is usually using a third party software to encrypt the swf, which let's say increases your chance to prevent theft of your material. So if you really encrypt the swf using a 3rd party tool, both the ways would be acceptable.
I believe both approaches are valid, it mainly depends on your assets.
As you know embedding assets, will increase the size of your swf, I would only consider doing this for icon type images where size is hardly an issue.
For bigger images, I would definitely go for dynamic loading which I also find more flexible.
If I have lots of small icons, I'm embedding them. Imagine that number of requests in runtime, any of which may timeout. Pain of embedding, where? A single Embed tag in source or CSS for an asset. "Constant" assets must be embedded, "variable" ones - loaded.
Edit: OK, I got it. Pain of embedding lots of assets. Here is one idea come to my mind... Even if you loading something dynamically, you need some list with all filenames? You may take list of files and generate class full of public static const members with [Embed] attributes, that's fairly trivial. Then you use that class in project and voila, all is in the place. Maybe this helps.