Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How secure – by design – is the ExternalInterface API call between JavaScript and Flash app residing in the same HTML container (on client side)?
Can it be – by design – intercepted?
Hint: the ExternalInterface API reference (above) reads
The ExternalInterface class requires the user’s web browser to support
either ActiveX® or the NPRuntime API that is exposed by some browsers
for plug-in scripting. See
http://www.mozilla.org/projects/plugins/npruntime.html.
Thanks
Depends what you mean by intercepted? If you trust the page / sandbox that the
ExternalInterfacecall is being made to then it is secure. The only attack vector I could think of would be the hacker modifying the__flash__toXMLjavascript function.Another point worth noting is that
ExternalInterface.callis vulnerable to XSS attacks; so the arguments must always be sanitized if they are coming from the user.