vrijdag 10 mei 2013

Sitelocking experiment

Building a gamesite.. We had a lot of trouble with leeching before. So I've been looking at different ways to protect against that. One way is checking the HTTP_REFERER, but you shouldn't exclusively rely on that. Another is sending a javascript that breaks out of any Iframes etc, but Adobe kind of blew that for us with the allowscriptacces parameter. Still might work. Then there is a technique, where you load in a asset cross-domain and then fix your crossdomain.xml to allow just that. I don't know how that holds up agains referer spoofing, but for now, it seems to be working. Also rotating filenames and using a container to get them is something I'm going to look at.

Test met sitelocking:

Trying to include the following file here: http://www.snoep.at/labs/flash/sitelocking/sitelocking.swf

Iframes and frames:

It is also possible to circumvent most types of protection in an iframe, so let's try that:


Allowing legit use

Not withstanding all this security the file can still be viewed from: http://www.snoep.at/labs/flash/sitelocking/ The big drawback offcourse is caching. If you have been to this site, the swf file has been cached and WILL display on another site, no matter what I do. So time to kill caching by rotating filenames etc.

More on this subject later.

Geen opmerkingen:

Een reactie posten