XSS(Cross Site Scripting) 해킹을 방지하기 위한 하나의 방법

Using AllowScriptAccess to control outbound scripting from Macromedia Flash

The AllowScriptAccess parameter of the Macromedia Flash Player controls the ability to perform outbound scripting from within a Flash SWF. This feature requires Flash Player 6,0,40,0 or later.

Outbound scripting is achieved through use of FSCommand actions or getURL actions that specify a scripting statement.

Web pages that host Flash movies can set the parameter for the Macromedia Flash Player from the HTML code (PARAM tag for Internet Explorer, EMBED tag for Netscape Navigator).

AllowScriptAccess can have two possible values: “always” and “never”:

> When AllowScriptAccess is “never”, outbound scripting will always fail.
> When AllowScriptAccess is “always”, outbound scripting will always succeed.
>

If AllowScriptAccess is not specified by an HTML page, it defaults to “always”.

Note: Earlier versions of the player will ignore this parameter, generally behaving as though AllowScriptAccess were set to “always”.

Object Tag Example:
<PARAM NAME=”AllowScriptAccess” VALUE=”never”>

Embed Tag Example:
<EMBED src=”/support/flash/ts/documents/display.swf” AllowScriptAccess=”never” … (other parameters)> </EMBED>

AllowScriptAccess can prevent a SWF file hosted from one domain from accessing a script in an HTML page that comes from another domain. Using AllowScriptAccess=”never” for all SWF files hosted from another domain can ensure security of scripts located in an HTML page.

For complete information on the potential security issue with allowing script access for SWF files from another domain, refer to Macromedia Flash Player Cross Server Scripting Security Issue.

Additional information
For information on how to detect Macromedia Flash Player, refer to How to detect the presence of the Flash Player (TN 14526). The Macromedia Flash Detection Kit is the recommended method of detection, and will allow you to require a specified release version of Macromedia Flash Player.

Macromedia is committed to the security of the Macromedia Flash Player, and invests considerable ongoing effort to ensure that the security and privacy of all Macromedia Flash Player users and all websites serving Macromedia Flash content are protected. For more information, or to report an issue to Macromedia, please refer to Macromedia Security Zone.