The debug version of Adobe Flash Player is currently issuing runtime warning messages to developers stating that Adobe is deprecating two security settings:
These settings are deprecated because they can encourage a dangerous practice amongst developers who attempt to use them to control untrusted content hosted on the same domain as trusted content.
The default setting for allowScriptAccess is "sameDomain" which means that if the SWF and the surrounding HTML were both served from the same fully qualified domain name, then the SWF can communicate with the HTML's DOM and access data such as cookies or form data. If the HTML and SWF are served from different domains, then the SWF cannot access the surrounding HTML.
The allowScriptAccess setting of "never" means that the SWF cannot access the HTML's DOM regardless of their respective domains. For the scenario where the SWF and HTML are served from different domains, the "never" setting is redundant with "sameDomain" since the "sameDomain" setting would also block communication between content from different domains. Therefore, the "never" setting only has additional meaning when the SWF and HTML are served from the same domain.
Adobe strongly discourages developers and administrators from hosting untrusted content on the same domain as their trusted website. If a developer is hosting an untrusted SWF on a trusted domain with an allowScriptAccess setting of "never", then an attacker could elevate the allowScriptAccess permissions of the SWF to the default setting of "sameDomain" by directing an end-user to load the SWF directly in the browser without the surrounding HTML. If the SWF is referenced directly and no surrounding HTML is present, then the SWF will load with the default permission of "sameDomain" which can allow access to data such as cookies, even with no surrounding HTML present. A similar elevation of privilege can occur when allowNetworking controls are applied to SWF content that is hosted on the same domain as the referring HTML.
Adobe is currently issuing a runtime warning messages alerting developers that this setting is deprecated. Adobe Flash Player 9 and Flash Player 10 currently enforce the allowScriptAccess setting of "never" if it is in place. Adobe is currently working on further refining the security controls available to developers and will have additional controls and clearer guidance in the future. In the meantime, the following best practices are recommended.
Do not host untrusted content on domains that contain sensitive content. The allowScriptAccess and allowNetworking controls are intended for controlling untrusted content that is hosted on a separate fully qualified domain name or IP address. Adobe strongly discourages hosting any untrusted content on the same domain as your sensitive data. If the untrusted content is to be hosted on a separate domain name, ensure that the domain hosting the untrusted content does not resolve via DNS to the same IP address as the domain with trusted content. Untrusted content should be completely separated from the domain hosting the trusted or sensitive content.
If it is not possible to host untrusted SWF content on a separate domain, then the risk may be mitigated by placing the content in a directory that is not web accessible and controlling access through an intermediary CGI proxy to prevent direct linking. This approach can be difficult to implement correctly and would be dependent on the specific implementation of the site. Therefore, Adobe cannot provide specific guidance on this approach and recommends hosting the content on a separate domain.
The Flash Player security page at http://www.adobe.com/products/flashplayer/security/ should be your first stop for Flash Player security information. Click the "Resources for Developers" tab for a collection of links to useful documents.
You can find the Adobe Live Docs description of allowScriptAccess at http://livedocs.adobe.com/flash/9.0/main/00000360.html#wp131683.
Keywords:
kb407748
Twitter™ and Facebook posts are not covered under the terms of Creative Commons.
