0

Let me explain my situation. I'm using flash sockets to build an embedded chat application. everything works great. I want to allow all the sites who embedded this application to connect to my server, except for some sites.

My problem is that the number of sites that I don't want to connect to my server is a very large one( 4-5k). Currently from what I seen all you can do is tell in your policy file the domains that you allow/not allow.

What I'm looking for is a way for flash player to send me the domain where the flash is embedded and I could return an accept/decline response. I know I can send info about the site where the flash is embedded using actionscript, but this can be very easy simulated.

So.. do you know any flash implementation about this, or do you know a better way to achieve this?

Thanks

Doua Beri
  • 10,612
  • 18
  • 89
  • 138

1 Answers1

0

You can have more than one Socket Policy File. If you have your white list of allowed domains, you could create a script to generate a policy file for each domain, if you want to. That would get around each connection having to download a single policy file with 5000+ entries.

Just be aware though, that there is no way to completely secure this. No matter what you do, there is a way to spoof the context of the client. You can use obfuscators that encrypt the swf to "raise the hacker bar", but you're ultimately trusting the client to report its context. If you need real security, you need your chat program to have an authorization system, based on usernames, passwords or secret keys and forget out trying to manage allowed domains, but think of it in terms of authorized users instead.

Adam Smith
  • 1,917
  • 12
  • 14
  • Thanks for your reply. I know there isn't a 100% safe thing. What I want is nobody using an embedded swf to connect to my server unless I want too. The current cross-platform policy system seems to be ok, however I think it might have problems when you need to allow/block a large amount of domains. I'm not sure I know how to create multiple policy-files for each domain. From what I know flash player send me a message with a policy request and I send him the response with allowed/blocked domains. Can you give me more details about the multiple policy files. – Doua Beri Apr 20 '11 at 21:08
  • Disregard that first bit. I was thinking of something I did once for cross-domain policy files, which was easier because you can send the domain in the request. You can have multiple socket policy files too, but you'd need to use different ports (far from an ideal solution, considering firewall issues). You're probably better off using the * wildcard for allowed domains, and doing a separate authentication handshake once the connection to your chat server is made. – Adam Smith Apr 21 '11 at 02:38