gnash-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash-dev] Building in security


From: Martin Guy
Subject: Re: [Gnash-dev] Building in security
Date: Wed, 2 May 2007 12:00:53 +0100

2007/5/2, strk <address@hidden>:
On Wed, May 02, 2007 at 10:48:12AM +0100, Martin Guy wrote:
> We can just follow adobe's algorithm for a first hack - at least that
> will solve the problems that the community has alerted them to.

Adobe's algorithm is based on a security-trough-proprietery-software model,
which is it works as far as nobody can change the client code...

Adobe were forced to limit HTTP access to the same domain because that
was one way to avoid the hack attacks that people were complaining
about.

You are talking about security through obscurity, which is not the issue here.
The same-domain/cross-domain policy is explicit and public.

Before anyone starts proposing concrete solutions they need to
understand exactly what kind of exploits were enabled by allowing
loading from different domains. Maybe then they will understand why,
and who knows maybe even propose a better policy.
In our current position of ignorance, proposing solutions is premature.

Does anyone reading the list know more about this?

   M




reply via email to

[Prev in Thread] Current Thread [Next in Thread]