I've been trying to develope a security ruitine for flash based content but alas the elusive action script has kicked my ass.
Any one here know of a way for an SWF file to detect the address of the html page where the file itself is embbed on?
Basically what Im trying to do is a method of security where at a certain frame in the movie (perhaps 30 seconds into the cartoon)Flash will detect the URL of the page that contains it. It will then compare that url to the URL where its is supposed to be placed on such as "http:/flashfilmmaker.com/liscenced_movie.htm". If it matches then it will continue to play until the cartoon is over without the user knowing what happened.
However if the URL does not match(such as in the case someone is stealing your file and your bandwidth by embedding the file on their page or perhaps trying to view the cached version directly form their hardrive) it will jump to a hidden scene that will thank them for their interest in the movie but if they would like to finish watching the rest of it to log on to the web and view the cartoon from the propper liscensed distributors website.
I dont want to mess with preventing browser caching, or detecting external variables, or fooling around with my sites structure. I just plain want to detect the url of the HTML page and have it compared to the propper address where the file is supposed to be.
Personally I feel this method is provably the best method for swf security because the only way for a hacker to mess with it is to decompile it in binary form. But that will often just ruin the file so it wouldnt matter.
Another advange to this method would be that if a user grabs the file from their cache they will only see a preview (perhaps the first 30 seconds) after the security check kicks in they will have to log on to your site to watch the entire file. (more traffic for your site or liscensed distributor)
P.S. If you can make a qick FLA with demostration the action script that would rock! But any suggestions are welcomed. If you do make a fla send it to [email protected] - thanks again.
[Edited by Ibis Fernandez on 08-10-2001 at 03:09 PM]
probably not much luck on this:
flash itself cannot get the outside url, only its own (so it could detect if someone was adding the cartoon to their own server), so it would have to rely on javascript in the html embedding to pass in the outer url or on fscommand and some javscript as well to check the outer url while the movie is running. Fscommand will lock out certain systems, and both approaches would use pretty visible javascript.
Another thing which I am not sure of: if the outer html is loaded from one site and the embedded cartoon from another site, and the cartoon contained a call to a relative url, which server would be called?
One other idea you might wish to check: if I have html frames from different servers with javascript in them, I might get an error that scripts from one server are not allowed to interact with scripts from a different one. If this has been implemented consequently, if a movie from different server would do
geturl("javascript:somevar=1;")
it should get the same error
Musicman
[Edited by Musicman on 08-10-2001 at 05:33 PM]
After a year of R7D i have come up wih a great solution.
I have come up with a security scheme that is virtually Flawless, in other words Im sure someone can hack it but as far as I know its completely ensures that no one steals your movies.
It involves creating a gif file hidding a special comment within its code. Flash is set out to search for the presence if this gif file by way of "Load Variables" and reads the gifd file as if it was a text file rather than an image.
If the gif file is present and if the comment code matches the variable being searched for the movie will play. If the image file is not there or if the key code does not match it can be set to do what ever actions you want from displaying a water mark, displaying a warning message in an endless loop, launching a massive circle jerk (pop up add loop) to teach them a lesson, or simply quit and shut down.
Im experimenting with making the gif file uncacheable but even if the file is cahed most people wont know the difference cause it may be the logo on your page, the one pixel spacer, a banner add. They'll never know which image is the key LOL.
you are probably trying to fight the webmaster that steals your cartoon and possibly your bandwidth, rather than the individual watching the movie from the cache (after it has been viewed once from the true site)
If you are using a relative link to the image, the webmaster could just steal the image as well - it need not even display on the other page but just be accessible. If you use an absolute url, you basically force them to steal your bandwidth too.
You may prevent this by using htaccess style protection on your site or make even the image a script that requires login. Since the most common browser does not send a referer with requests from the flash movie, it is quite hard to do anything better.
BTW: I think it would not take me too long to find out whichever file you are using for your protection scheme
you are probably trying to fight the webmaster that steals your cartoon and possibly your bandwidth, rather than the individual watching the movie from the cache (after it has been viewed once from the true site)
Actually it's to fight everybody. Im trying to insure that my cartoons are watched only from the sites of the people who have paid a lisencing fee to watch my content. If people grab the file from the cache then they are stealing it. Sponsors pay money to have their ads viewed by the consumers, therefore it is to the benefit of the people who pay to have my cartoons on their sites to insure that the ads are also being watched.
If a person downloads the file and watches it from their hardrive they are causing the licesee to loose valuable add impressions.
If your content is published to CD rom and you are trying to prevent piracy one good way help it a bit is to insure that files only work when the CD is present or only from the CD itself.
Originally posted by Musicman
If you are using a relative link to the image, the webmaster could just steal the image as well - it need not even display on the other page but just be accessible. If you use an absolute url, you basically force them to steal your bandwidth too.)
The so far process is based on two tests. The first test is the image file. The second test involves a test where it detects the actual URL. It strips down all the trailing garbage and leaves just the domain behind. If the domain matches the domain where it is supposed to be playing from the it will continue to play.
Im sure these a security hole somewhere in there but I still can find it. Ill play with it another day or two and Ill post it up for anyone who want to try and hack it.
The proccess does become a bit more secure when the image file is placed below root level in a non public directory. But not everybody has the ability to access directories beyond their root so i want to stream line it a bit when it comes to this respect.
with the exception of the image file in a secured area, I believe anyone who views the movie once - legally paid - could also steal it along with your bandwidth.
Do you want to show a link so that people could try?
BTW: I have never tried whether htaccess (webserver) protection works with flash movies, i.e. whether the browser actually adds the auth data to a request from the flash plugin
I can tell you right now, it does not. I have implemented a HTACCESS method of blocking file linking and it works but now my own pages can't access the SWF files (but they can access all other file types). My guess is, the Flash plugin isn't passing in the referrer.
Anyone with further advice on this would be much appreciated.
RB
The PHP script uses $_SERVER["vars"], so
you will need to be running PHP 4.1 or above to use it.
Well, I put this together for you.
Its pretty basic, and it does use HTTP_REFERER, so only some of your stuff would be protected.
But when you think about it, would a webmaster risk a portion of his clients seeing a theft warning with another domains address on it pop up during a movie?
Great Idea and Good example Primates.
Another good idea is maybe set the check variable as a looped movie in the main movie so that it is constantaly checking.
Correct me if I'm wrong though this wouldn't work well as a deterant if you where using a flash player to stream other media types like mp3 or avi since these, even though played through flash, get cached.
Hi,
yes you are correct about the other media being cached, but I think he is more concerned about someone taking the movie itself and either hot linking it or taking it and putting it on there own server.
This should take care of that in a rough and tumble kind of way.
Here are a couple of things that need to be addresed with my examples:
First off, there is a a variable in the first keyframe that clears the security variable when the movie loads, just in case someone try to pass the var in the address string. The movie needs to be reworked so that someone cant just right click and rewind after the security warning comes up. Maybe just put the security warning in the first keyframe instead of the last, so that if they rewind they are still at the beggining, and if they go forward they hit the clip that contains the security scripting.
Is there another Global in php like HTTP_REFERER that can get the calling address that is more browser stable?
I didnt want to use the php 4.1 dependant vars, but that is what seemed to work for me.
The security is mostly contained within one clip, so useing within your movies shouldnt be to hard.
Im getting ready to make an easier to use version, where everything is contained in one clip and you would just need to copy the clip and change the loadVars address.
Lets get this thing secure. Let me know if it does not work, or if you find bugs or major security issues..
check www.fontimages.org.uk/anti_theft.swf
(no, I did not use the fla, but hexeditor...
Suggestion: take the _url as well, cut it at the /, and compare against the true domain
The easiest way would be to put your .swf files 'unavailable' to the rest of the world through web server... then to build small backend script that would print some .swf uppon request (simple HTTP header, and then printing the .swf)...
That's the easiest way to control usage of your .swf files...
Reply With Quote
