Building a gamesite..
We had a lot of trouble with leeching before.
So I've been looking at different ways to protect against that.
One way is checking the HTTP_REFERER, but you shouldn't exclusively rely on that.
Another is sending a javascript that breaks out of any Iframes etc, but Adobe kind of blew that for us with the allowscriptacces parameter. Still might work.
Then there is a technique, where you load in a asset cross-domain and then fix your crossdomain.xml to allow just that.
I don't know how that holds up agains referer spoofing, but for now, it seems to be working.
Also rotating filenames and using a container to get them is something I'm going to look at.
Test met sitelocking:
Trying to include the following file here:
http://www.snoep.at/labs/flash/sitelocking/sitelocking.swf
Iframes and frames:
It is also possible to circumvent most types of protection in an iframe, so let's try that:
Allowing legit use
Not withstanding all this security the file can still be viewed from:
http://www.snoep.at/labs/flash/sitelocking/
The big drawback offcourse is caching. If you have been to this site, the swf file has been cached and WILL display on another site, no matter what I do. So time to kill caching by rotating filenames etc.
More on this subject later.
