- From: Maciej Stachowiak <mjs@apple.com>
- Date: Fri, 02 Jul 2010 18:20:04 -0700
On Jul 2, 2010, at 6:04 PM, Maciej Stachowiak wrote: > > Any site which does that has a giant security hole, since Flash can be used to arbitrarily script the embedding page. It's about as safe as allowing embedding of arbitrary off-site <script>. If you are aware of sites that allow embedding of arbitrary off-site Flash, you should alert them to the potential security risks. For example a social network site that allowed this would be vulnerable to a self-propagating worm. > > What I have heard before is that sites whitelist specific SWFs or Flash from specific domains. I'm don't have any first-hand knowledge of how sites actually do it. With testing I found at least one site where I can apparently embed arbitrary SWFs. However, this site has per-user domains, so it might be relatively safe. This site also allows me to embed arbitrary content in an <iframe>. Regards, Maciej
Received on Friday, 2 July 2010 18:20:04 UTC