- From: gaz Heyes <gazheyes@gmail.com>
- Date: Fri, 21 Oct 2011 15:58:15 +0100
- To: Travis Hassloch <thassloc@adobe.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
- Message-ID: <CADJi-i=fTR+2BF7Pi0vWZJU1-rFm9fNRiFUw-mxcuO_hYzW+hA@mail.gmail.com>
On 21 October 2011 01:19, Travis Hassloch <thassloc@adobe.com> wrote: > I would be very appreciative to hear your ideas on how > Content-Security-Policy should apply to flash. > > For example, one idea of many: SWF files are compiled from > actionscript, which is more-or-less ECMAscript, so perhaps it > should be interpreted as such. On the other hand, they may be > dissimilar enough that extensions to CSP (new directives) may > be the way to go. > > Thoughts on this or any other aspect? > > Backgrounder on flash security model: > <URL: > http://www.adobe.com/devnet/flashplayer/articles/flash_player10_securit > y_wp.html> > The whole CSP security model breaks down when you have flash without HTML so served directly on the page and lots and lots of sites allow direct flash injections without html. Also your crossdomain policy doesn't work for outgoing requests does it? Or have you fixed that now? A certain WAF vendor (it shall remain nameless because I forgot which one it was) had Flash injections on their "banner" flash file, an attacker could simply create a global crossdomain policy on their server and then send a request for a XML file to the evil server from the "good" server and the "good" site would be injected with images or malicious HTML from the evil server XML file. PS The WAF didn't seem to work =)
Received on Friday, 21 October 2011 14:58:51 UTC