Extension talk:Flashlets

Hm... I'm not sure how far ActionScript can access the surrounding website... is it possible to read the user's session cookie? Is it possible to load images etc from a different server? If the answer to both is yes, this extension is an invitation for w:Cross Site Scripting attacks. If only one of those is possible, it's not all that bad, but still worrying.

Please check and see... -- Duesentrieb ⇌ 12:02, 1 April 2007 (UTC)Reply

Flash is very crippled specifically so that it can't really contain maliscious code. It can't access files on the local harddrive apart from a sandbox so the script can store data. It can only read files or images from the same subdomain it was served from. --Nad 12:37, 1 April 2007 (UTC)Reply

But can it read cookies from the page that contains it?

Also, "Flash Cookies" are in the news right now... not a security problem by themselves, but something to be aware of. -- Duesentrieb ⇌ 12:59, 1 April 2007 (UTC)Reply

Oh... can getURL("javascript:alert('evil');") be used to run arbitrary JavaScript? That would be... evil... -- Duesentrieb ⇌ 13:08, 1 April 2007 (UTC)Reply