- DataGrid + Lots o' Data + Sort = Flash Crash?
- Patching Eclipse Line Numbers / Breakpoints Bug
- Performance Statistics Without the Leak
- Creation Policy Smackdown
- Secrets of the Flex 4 SDK [cough] ArrayList.as
- Drive Multiple Views with a Single Data Source - Now With More XML!
- Drive Multiple Views with a Single Data Source
- Curiosities of the Crossdomain
- Develop on a Mac? Use external monitors? ...Flashbuilder Choke-a-thon.
- A Deep Dive Into Browser Security
Recent Posts
Security Through Obscurity: can you hide swf files on your website?
Fri, 03/13/2009 - 18:58 — Rick Winscot
I saw a Flexcoders post today where someone asked if they could hide a swf on website. I caught the post after a few had already replied - what this person was trying to do is restrict access to their swf files.
One thing before we start... at some point your users are going to have your swf. I mean, that's the point - isn't it? That is to say, that your swf will end up on a client machine in some cache somewhere on your users hard drive and for those that are persistent... won't stay hidden forever.
Ok. Next matter is that security is never absolute... and should be proportional to the value of your data. It is always a matter of balance and sensibility.
Back to the post...
Hello,
How to hide swf files on a website, preventing their copy by a software like httptrack?
Thank you,
Christophe,
So... web cruisers, crawlers, spiders, and whatnot find stuff by looking at urls - be they relative or not. The key then is to put your assets somewhere that breaks web/url sniffing... perhaps streaming your files from somewhere outside your web server context? Really, you don't need to go that far as long as file destinations can be obscured -- perhaps by a server-side script?
MUWAHAHAHAHHAAAA! A-hem.
I decided to use SWFObject to wrap my implementation; the full screen template (fullpage.html). In the arguments, I pass a reference to my file proxy called swfProxy.php.
var so = new SWFObject("swfProxy.php", "hiddenSWF", "100%", "100%", "8", "#FF6600");
For this example I've used PHP to stream the swf. Really, any server-side language that can generate a stream from a file will do...
<?
session_start();
ob_start();
header("Content-Type: application/x-shockwave-flash");
header("Cache-Control: no-cache, must-revalidate");
header("Expires: Mon, 15 Sept 1969 05:00:00 GMT");
$fh = fopen(realpath("swfs/hidden.swf"), "rb");
fseek($fh, 0);
while (!feof($fh)) {
print (fread($fh, 500));
ob_flush();
}
fclose($fh);
?>
That's about it... as long as you don't advertise where the swfs are coming from outside your scripts - web baddies probably won't be able to track them down. I say *probably* because any bot that sees the script can touch it to get the file... it may not be able to make sense of what is happening or even store the whole of your application in a way that is usable outside your website... adding authentication to your script greatly hardens this approach. Anyway.
One thing to keep in mind about this is that since PHP is streaming the file there is a little additional lag as your Flex/Flash app loads. Just to make sure I tested this on Windows XP/Vista with IE7 and FF3 and on Mac OSX 10.5 with Safari4 and FF3. It worked swell.
[ example: Hidden/Streamed SWF ]
[ source: Hidden/Streamed SWF ]