Are remote flash files vulnerable?
Currently I'm allowed users to add application/x-sh开发者_StackOverflow中文版ockwave-flash objects to their profiles in my website. I've only filtered the URL and the content-type is set to "application/x-shockwave-flash"
Is there any vulnerabilities in allowing my users to link to remote flash/video files?
It should be safe in principle, assuming that the users only specify a file (they don't write the embed code), and that they cannot upload files to your server.
You might care to make use of the allowNetworking
and allowScriptAccess
parameters in the embed tag where you embed the SWF, to limit what these embedded SWFs are allowed to do. See here for details.
Also, I'm assuming you don't have a wide-open crossdomain.xml file on your server. If you all open crossdomain access, then I think it's possible that hotlinking to unknown SWFs could be unsafe. (If you don't have any crossdomain.xml policy file, you're fine - the default is for no access to be granted if no policy exists.)
Since the user-generated Flash content will be hosted on other domains, it'll be sandboxed in the Flash player and won't be able to access anything critical on your domain.
精彩评论