Extension talk:Flashlets
From MediaWiki.org
Hm... I'm not sure how far ActionScript can access the surrounding website... is it possible to read the user's session cookie? Is it possible to load images etc from a different server? If the answer to both is yes, this extension is an invitation for w:Cross Site Scripting attacks. If only one of those is possible, it's not all that bad, but still worrying.
Please check and see... -- Duesentrieb ⇌ 12:02, 1 April 2007 (UTC)
- Flash is very crippled specifically so that it can't really contain maliscious code. It can't access files on the local harddrive apart from a sandbox so the script can store data. It can only read files or images from the same subdomain it was served from. --Nad 12:37, 1 April 2007 (UTC)
-
- But can it read cookies from the page that contains it?
- Also, "Flash Cookies" are in the news right now... not a security problem by themselves, but something to be aware of. -- Duesentrieb ⇌ 12:59, 1 April 2007 (UTC)
- Oh... can getURL("javascript:alert('evil');") be used to run arbitrary JavaScript? That would be... evil... -- Duesentrieb ⇌ 13:08, 1 April 2007 (UTC)
