`
kennyluo
  • 浏览: 81381 次
  • 性别: Icon_minigender_1
  • 来自: 珠海
社区版块
存档分类
最新评论

Domain Locking SWFs

阅读更多
By domain locking (or site locking), we are restricting the SWF to be run only from a certain domain, ie the SWF should execute normally only if it has been viewed from a certain domain. If it is loaded from other domains, the SWF should execute in an alternative manner – perhaps not run at all, or run with limited features (as the developer deems appropriate). This is usually done to prevent unauthorized re-distributions of SWF files.


Which SWF URL?
We can get the URL of a SWF by checking the url property of the LoaderInfo object of the main document class:

var swfURL:String = loaderInfo.url;

However, for the purpose of domain locking, we would want to look at the loaderURL property instead:

var ldrURL:String = loaderInfo.loaderURL;

This is because your SWF can be loaded via a Loader object in another SWF, possibly from another domain. In this case, the url property still reports the URL of your SWF file (since it is still being loaded/leeched from the original location) but the loaderURL property will not be the same.

For a SWF that is loaded directly, both the url and loaderURL properties report the same value.


What About HTML Page URL?
It is possible that your SWF may be loaded directly from an allowed domain, and yet viewed within another unauthorized domain. This can happen if a HTML page from a different domain embeds your SWF object directly. If you wish to know the URL of the HTML page containing the SWF, you need to use the flash.external.ExternalInterface class:

import flash.external.ExternalInterface;
 
var htmlURL:String;
if (ExternalInterface.available)
{
	htmlURL = ExternalInterface.call("window.location.href.toString");
}

That will give you the URL of the HTML page containing the loaded SWF, which you can test against when domain locking SWFs.

However, this depends on ExternalInterface to be available, which means it will only work with the following browsers:
* IE 5.0 and later
* Firefox 1.0 and later
* Mozilla 1.7.5 and later
* Netscape 8.0 and later
* Safari 1.3 and later
* any other browser that supports the NPRuntime interface.

Where ExternalInterface is unavailable, you should fall back to checking against the loaderURL.

import flash.external.ExternalInterface;
 
var url:String;
if (ExternalInterface.available)
{
	url = ExternalInterface.call("window.location.href.toString");
}
else
{
	url = loaderInfo.loaderURL;
}

You may also, if you wish, assume that if ExternalInterface is not available, then your SWF is being viewed under the wrong conditions and therefore it should not continue running. If you decide to go this (rather extreme) route, do consider showing a message to let the end-users know why, possibly telling them where they should go to view your application and which browsers they can use.

On the other hand, it is also possible that you may not want to test against the HTML page URL for domain locking purposes at all. Perhaps you want to allow other websites to show your SWF as long as the SWF is loaded from your server. For example, this can be the case if you have a widget that you want other websites to use but do not want the SWF to be re-distributed outside your domain. In such cases, knowing the HTML page URL is nevertheless useful for other reasons, such as tracking sites displaying your SWF.

Ultimately, which URL you should test against depends on the needs of your application.


Domain Locking – Single Domain
Once you get the proper URL to check against, your code can test to see if it is “qualified”. If it doesn’t match a pre-defined criteria, you would abort the rest of your application code, or run the application with limited features.

Here is the code you can use:

var allowedDomain:String = "www.ghostwire.com";
 
var allowedPattern:String = "^http(|s)://"+allowedDomain+"/";
var domainCheck:RegExp = new RegExp(allowedPattern,"i");
if (!domainCheck.test(url))
{
    // domain check failed, abort application
    stop();
    // abort();
}
else
{
    // domain okay, proceed
}

    allowedDomain specifies the allowed domain
    allowedPattern is the regular expression pattern that would be used – basically it says (i) the URL must start with “http://” or “https://”, (ii) followed by the allowed domain, (iii) followed by a slash “/” immediately after the domain name.
    If you don’t expect your SWF to ever run via secured http, then the pattern can be “http://”+allowedDomain+”/”
    Likewise if you expect your SWF to always run via secured http, then change the pattern to “https://”+allowedDomain+”/”
    domainCheck is the RegExp object with pattern set to allowedPattern and using ignoreCase flag “i”.
    domainCheck.test(url) returns true if the url contains the allowed domain name at the correct position in the string, false otherwise.


Domain Locking – Multiple Domains
What if we want to allow multiple domain names? With a little tweak to the regular expression, we can specify multiple domains using “|” as delimiter, as shown below:

var allowedDomains:String = "ghostwire.com|somewhere.net|elsewhere.org";
 
var allowedPattern:String = "^http(|s)://("+allowedDomains+")/";
var domainCheck:RegExp = new RegExp(allowedPattern,"i");
if (!domainCheck.test(url))
{
    // domain check failed, abort application
    stop();
    // abort();
}
else
{
    // domain okay, proceed
}

    allowedDomains specifies one or more domain names to allow, with each domain name separated by alternator “|”.
    allowedPattern has been changed to support the group of domain names.
    This code works with single domain too.


Wild Cards
You can use regular expression wild cards when specifying allowedDomains:

var allowedDomains:String = ".*ghostwire.com";
// ghostwire.com and all subdomains

Likewise for multiple domains:

var allowedDomains:String = ".*ghostwire.com|.*somewhere.net|onlyhere.org";
// ghostwire.com and subdomains
// somewhere.net and subdomains
// onlyhere.org but none of its subdomains

There is no typo in the above – the dot (.) says match any character and the star (*) says zero or more matches.


Getting Domain Name
Let’s say you have allowed multiple domain names to run the SWF, but you would like to know which domain the SWF is loaded from. Perhaps your application may run with additional features if it is loaded from a certain domain. Whatever the reason may be, you can do so with the code below:

var allowedDomains:String = "ghostwire.com|somewhere.net|elsewhere.org";
 
var allowedPattern:String = "^http(|s)://(?P<name>"+allowedDomains+")/";
var domainCheck:RegExp = new RegExp(allowedPattern,"i");
var domainCheckResult:Object = domainCheck.exec(url);
if (domainCheckResult == null)
{
    // domain check failed, abort application
    stop();
    // abort();
}
else
{
    // domain okay, proceed
    trace(domainCheckResult.name) // the domain name
    // trace(domainCheckResult.name.toLowerCase()) // in lower case
}

    We have used a named group in the regular expression for easy access to the matched domain name. This is done using (?P and ) to define the named group.
    We use domainCheck.exec(url) instead of domainCheck.test(url) here.


Preventing SWFs From Running Locally
Because the pattern checks the URL to see if it starts with “http://” or “https://”, by domain locking you would also prevent the SWF from running locally (the URL will start with “file:///”).

If no domain locking is intended (ie, you want your SWF to be freely distributed and run online) but not run locally, you can use the following code:

var domainCheck:RegExp = new RegExp("^http(|s)://");
if (!domainCheck.test(url))
{
    // domain check failed, abort application
    stop();
    // abort();
}
else
{
    // domain okay, proceed
}

For other alternatives, see the post “Preventing SWFs From Running Locally”.
 
分享到:
评论

相关推荐

    Shear Locking.pdf

    ### 剪切自锁(Shear Locking)解析 #### 一、概述 剪切自锁(Shear Locking)是有限元分析中的一个重要概念,尤其在处理薄板或细长结构时尤为显著。该现象最早在六十年代被发现,当时人们注意到基于位移方法...

    USB Type-C Locking Connector Specification

    - **Locking Connector**:锁定连接器,指具备锁定机制的 USB Type-C 连接器。 #### 二、概述 USB Type-C 锁定连接器是为了解决传统 USB 连接器在某些特定环境下容易松动的问题而设计的一种改进型连接器。通过引入...

    Locking in Linux Kernel

    在Linux内核中,锁机制是确保并发执行的线程之间正确同步的关键工具。它用于保护共享资源,防止数据竞争和不一致状态的发生。对于驱动编写者来说,深入理解锁的原理和用法至关重要,因为驱动程序往往需要访问硬件...

    C++ and the Perils of Double-Checked Locking

    在介绍双检锁模式(Double-Checked Locking Pattern,DCLP)的C++实现中,Scott Meyers和Andrei Alexandrescu在其2004年的文章中指出,传统的单例模式实现并不具备线程安全性。单例模式是设计模式中经常被提及的一种...

    Biased Locking in HotSpot

    HotSpot虚拟机作为Java平台的主流虚拟机之一,提供了多种锁优化策略,其中之一就是“偏见锁”(Biased Locking)。本文将深入探讨HotSpot中的偏见锁机制,以及它如何提高并发性能。 偏见锁是一种针对轻量级锁的优化...

    Sybase Performance and Tuning:locking

    在Sybase数据库管理系统中,锁定(Locking)是实现并发控制的关键技术之一。本文档基于Sybase Adaptive Server Enterprise 12.5.1版本,深入探讨了锁定机制在数据库性能与调优中的作用及其相关知识点。 #### 二、...

    C++ and the Perils of Double Checked Locking.zip

    《C++ and the Perils of Double Checked Locking》是一篇探讨C++编程中双重检查锁定(Double-Checked Locking)模式潜在问题的文献。在多线程编程中,双重检查锁定是一种常见的优化策略,旨在减少对同步原语的依赖...

    Kernel-Locking

    ### Kernel-Locking:深入理解 Linux 内核中的锁定机制 #### 一、引言与并发问题 本书由 Paul Rusty Russell 撰写,是一份关于 Linux 内核锁定技术的指南,它针对 Linux 内核 2.4 版本进行编写。随着对称多处理...

    《Expert SQL Server Transactions and Locking》源码

    《Expert SQL Server Transactions and Locking》是一本专为SQL Server数据库管理员和开发人员编写的权威指南,涵盖了事务处理和锁定机制这两个核心主题。这本书的源码提供了深入理解这些概念的实际示例,对于学习和...

    C语言头文件 LOCKING

    C语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言...

    Mode-locking of a terahertz laser by direct phase synchronization

    标题与描述均提到了“通过直接相位同步实现太赫兹激光器的模式锁定”,这是一项在太赫兹科学领域的重要技术突破。太赫兹(THz)波段位于微波与红外光之间,频率范围大约在0.1到10THz,具有独特的优势,如非电离性、...

    PyPI 官网下载 | plone.locking-2.0.6.tar.gz

    《PyPI官网下载 | plone.locking-2.0.6.tar.gz——深入解析Python库管理与Plone.locking》 PyPI(Python Package Index),是Python社区的主要软件包资源库,提供了一个平台,供开发者发布、分享和安装Python开源...

    Optimistic Locking with Concurrency in Oracle

    乐观锁在Oracle数据库并发控制中的应用 乐观锁是一种在数据库管理系统中实现并发控制的方法,它假设在多数情况下读多写少的情况,因此在读取数据时不会加锁,只有在更新数据时才会检查在此期间是否有其他事务修改了...

    Oracle Locking Survival Guide

    《Oracle Locking Survival Guide》是针对Oracle数据库管理系统中锁定机制的一个深入指南,旨在帮助数据库管理员和开发人员理解和解决与锁定相关的问题。Oracle数据库是企业级应用广泛使用的数据库系统,其锁定机制...

    Oracle Database Transactions and Locking Revealed(Apress,2014).

    Oracle Database Transactions and Locking Revealed provides much-needed information for building scalable, high-concurrency applications and deploy them against the Oracle Database. Read this short, ...

    Oracle Database Transactions and Locking Revealed

    ### Oracle数据库中的事务处理与锁定揭秘 #### 一、引言 在开发高度并发和可扩展的数据库应用程序时,理解底层数据库如何管理事务至关重要。Oracle作为业界领先的数据库管理系统之一,其事务管理和锁定机制的设计...

    Biased Locking in HotSpot - Dave - 2006.pdf

    知识点一:偏向锁(Biased Locking)的起源 偏向锁的概念源自于一篇由Dave、Mark Moir和Bill Scherer共同撰写的论文。作者们指出,传统的Java监控锁(即synchronized锁)在执行CAS操作(比较并交换)时会带来显著的...

    Expert SQL Server Transactions and Locking

    Master SQL Server’s Concurrency Model so you can implement high-throughput systems that deliver transactional consistency to your application customers. This book explains how to troubleshoot and ...

    PyPI 官网下载 | django-db-locking-2.0.0.tar.gz

    《PyPI官网下载 | django-db-locking-2.0.0.tar.gz——Django数据库锁定机制详解》 在Python的世界中,Django框架是构建Web应用程序的热门选择,其强大的功能和灵活性深受开发者喜爱。然而,随着应用规模的扩大,多...

    Locking.one

    Locking.one

Global site tag (gtag.js) - Google Analytics