March 11, 2008

April Flash Player Security Update

Writing about web page

This is just a heads-up for myself really – there’s a Flash Security Update coming in April, and one of the changes might affect any uploading functionality we intend to use because we’ll need a policy file to POST and GET with additional headers:

The April 2008 Flash Player update adds a new security feature to perform a cross-domain policy file check before allowing SWFs to send headers to another domain. This change helps improve web site security by helping to defend against malicious HTTP headers sent by content from other domains. The feature will also help to mitigate a potential UPnP issue (VU#347812) in which routers fail to correctly handle unexpected header values. In order for a SWF to send a header anywhere other than its own host, the origin domain of the SWF must have explicit permission from the host to which the header is being sent, in the form of a policy file. The existing policy file model will apply, with the same file locations and ActionScript APIs, but a new syntax will be required. To specify header-sending rights, use this new tag:


- 6 comments by 3 or more people Not publicly viewable

[Skip to the latest comment]
  1. Mathew Mannion

    I don’t really see the point of this. It’s not like it’s remotely difficult to send arbitrary headers to domains without using Flash

    11 Mar 2008, 10:37

  2. Mathew Mannion

    Also, will this stop you using content from other domains (such as from static repositories)?

    11 Mar 2008, 10:38

  3. Steven Carpenter

    Yeah – this is a direct response to some general security-related attacks that occured via Flash adverts a while ago, so I think while it’s possible to send headers by other means Adobe just wants to lock down the Flash Player to avoid further problems:

    The general theme in the above is that each machine involved in a communication must give explicit permission to engage in such conversations with applications hosted within Adobe Flash Player. Resetting defaults is a hard task, but in today’s new security environment, it must be done.

    It will affect getting data from other domains directly, but it looks it’s just a minor change to the existing crossdomain.xml policy files we have in place.

    11 Mar 2008, 10:52

  4. Mathew Mannion

    Surely this will cause massive problems with things such as MP3 players though, because it’s going to break so many existing applications. Why should I need to put a crossdomain.xml file on some remote server to read a file by GET, when I could just browse to the file and get it anyway? It doesn’t make any sense!

    11 Mar 2008, 11:18

  5. Steven Carpenter

    I should clarify – I should’ve said ‘POST/GET with additional headers’, because you only require the cross-domain policy if you are trying to append the basic GET or POST request with other header data. I’ve changed the entry so this is clearer. The MP3 example shouldn’t be affected at all unless it’s trying to request stuff via additional headers as well :-)

    11 Mar 2008, 12:01

  6. Nick Howes

    I don’t really see the point of this. It’s not like it’s remotely difficult to send arbitrary headers to domains without using Flash

    It is easy to attack a machine with arbitrary headers from your computer. But being able to send a massive distributed attack from every computer that simply visit your site is something entirely different.

    12 Mar 2008, 11:44

Add a comment

You are not allowed to comment on this entry as it has restricted commenting permissions.


MXNA link



    Other blogs I like...

    Black Pepper Software

    Eismann-sf Go to 'Comments on: Design News for Web, Graphic Designers'

    Ted On Flex Go to 'Ted On Flash'



    Not signed in
    Sign in

    Powered by BlogBuilder