Security Changes in Flash Player 8

In Flash Player 8 Macromedia has changed the security model that’s applied to local Flash content. By default, Flash applications that are run from a user’s local file system rather than over HTTP have more limited privileges in Flash Player 8 than in Flash Player 7. This model is applied to Flash content of all versions, which means that content published before the release of Flash Player 8 may be affected, in addition to new content created after its release. This article describes how to fix most issues that arise from these changes.

Besides changes to the security model, Flash Player 8 introduces a few other restrictions and adds some new security features. This article describes those changes as well, but the local security changes are by far the biggest security topic in Flash Player 8.

Note: These local security changes do not affect Flash content served over HTTP. Most Flash content is served over HTTP and should be unaffected by these changes.

New Restrictions

Here are the newest limitations on what Flash content can do:

• Local sandboxes: By default, local SWFs can no longer contact the Internet, perform HTTP communication, or communicate with local HTML files. If SWFs of version 7 or earlier attempt to perform any of these actions, users will see a warning dialog box that informs them that it cannot be done. The appearance of the dialog box, and breakages in existing content, can be remedied either by end users or by Flash developers by putting appropriate permissions in place.
• Loading restrictions: SWF and HTML content from non-local URLs may no longer load any content (SWF, HTML, PNG, and so on) from local paths.
• Third-party storage: Flash Player users may now choose to prevent third-party SWFs (those that come from different domains than the domain shown in the browser’s address bar) from reading or writing persistent shared objects. This restriction is not applied by default; users must proactively decide to apply it.
• allowScriptAccess default: For SWFs of version 8 and later, the default for the HTML allowScriptAccess parameter is “sameDomain” rather than “always”. This does not affect SWFs of version 7 or earlier. The allowScriptAccess parameter controls whether SWFs may call out to JavaScript in HTML pages.

New Security Features

Here is the new security functionality available to Flash content:

• Wildcard allowDomain: System.security.allowDomain() now accepts a wildcard “*” argument that enables access by SWFs from any domain.
• More precise permissions: System.security.allowDomain() and System.exactSettings now apply only to the SWF calling them, rather than to the calling SWF’s entire domain. This only affects new (version 8+) content, so backward compatibility is preserved.
• Secure persistent shared objects: SWFs loaded via HTTPS can now create SharedObject objects that may only be accessed by SWFs also loaded over HTTPS. This mirrors an ability of browser cookies and helps keep data stored in shared objects safe from snooping and modification threats. No existing shared objects are affected.