轉:http://www.ydjps.sc.cn/windson/myblog/article.asp?id=33
相關學習源文件:
點擊下載此文件
瞭解和認識Flash Player 8 的安全問題,對於程序開始,動畫設計和網站管理人員來說都是必要的.目前Flash Player 8 相關的安全API是放在System類下的.
System下的所有方法:
IME
setClipboard
security
exactSettings
showSettings
Product
Capabilities
System.exactSettings
是否是精確域匹配,player 6以前都是超域匹配,player7以後爲精確匹配 賦值類型爲Boolean,可寫屬性。
System.security
Flash player 8,0,22,0中目前能看見的System.security的方法有:
loadPolicyFile:加載xml策略文件
(策略文件的定義:
<cross-domain-policy>
<allow-access-from domain="*" to-ports="507" /> <allow-access-from domain="*.foo.com" to-ports="507,516" /> <allow-access-from domain="*.bar.com" to-ports="516-523" /> <allow-access-from domain="www.foo.com" to-ports="507,516-523" /> <allow-access-from domain="www.bar.com" to-ports="*" /> </cross-domain-policy>
)
(備註:如果由
loadPolicyFile()
指定的任何策略文件都未對請求進行授權,則 Flash Player 會查詢原始的默認位置 /crossdomain.xml,這是最終的後備操作。)
allowInsecureDomain:允許多個swf文件多種協議交流(http和https)
allowDomain:允許多個swf文件通過http協議跨域交流
Flash player 8,0,22,0中目前隱藏的System.security的方法有:
sandboxType:安全沙盒類型
escapeDomain
chooseLocalSwfPath
System.security.sandboxType的屬性值包括:(目前是隻讀屬性)
Remote:swf文件來自遠程
localWithFile:swf文件來自本地,能讀取本地數據,但不能訪問網絡
localWithNetwork:swf文件來自本地,能讀網絡數據,但不能訪問本地數據
localTrusted:即能訪問網絡也能訪問本地。
在Flash8調試環境中System.security.sandboxType的值爲localTrusted
在本地外部使用播放器打開System.security.sandboxType的值爲localWithFile
SWF file loading APIs
MovieClip.loadMovie
MovieClip.loadMovieNum
MovieClipLoader.load
安全檢測:
1、 如果加載影片的文件安全沙盒爲loca-with-filesystem而被加載的文件來自網絡或是local-with-networking 安全沙盒,則Loading將加載失敗。
地,則Loading將失敗。
Data loading
LoadVars.load()
LoadVars. sendAndLoad()
XML.load()
XML.sendAndLoad()
安全檢測:
如果加載影片的文件安全沙盒爲loca-with-filesystem而被加載的文件來自網絡或是local-with-networking 安全沙盒,則Loading將加載失敗。
許可機制:
Policy File—The default is to deny access between sandboxes. The website can enable access to a resource by adding a policy file.
XMLSocket. connect()
安全檢測:
1、 如果文件處於local-with-file安全沙盒則不允許連接
2、 如果訪問的端口低於1024則不允許連接
許可機制:
Policy File—The default is to deny access between sandboxes. The website can enable access to a resource by adding a policy file with the XMLSocket protocol. The author can invoke loadPolicyFile(). NetConnection. connect()((AMF Remoting only)
安全檢測: 如果文件處於local-with-file安全沙盒則不允許連接
許可機制:
Policy File—The default is to deny access between sandboxes. The website can enable access to a resource by adding a policy file. NetConnection. connect()(Flash Communication Server RTMP only)
安全檢測:
如果文件處於local-with-file安全沙盒而被訪問的資源再非local安全沙盒則不允許連接
許可機制:
Server-side ActionScript—The default is to allow access. The website can deny access to a resource by adding server-side ActionScript application logic in Flash Communication Server.
NetStream.play() / Sound.load()
安全檢測:
如果文件處於local-with-file安全沙盒則不允許連接
許可機制: 1、Policy File—Network sandbox access from local trusted or local-with-networking sandbox requires permission from website
2、Default for other cross-domain requests is to allow access.
FileReference. upload() FileReference. download()
安全檢測:
如果調用的文件是不受信任的本地文件則不允許訪問
許可機制:
Policy File—The default is to deny access between sandboxes. A website can enable access to a resource by adding a policy file.
