Commit 7cf2bcbe authored by Anssi Piirainen's avatar Anssi Piirainen
Browse files

Only load plugins and external config from the same domain as the player swf...

Only load plugins and external config from the same domain as the player swf from loaded from. Fixes fixes flowplayer/flash#121
parent c60f792b
......@@ -4,6 +4,7 @@ Version history:
------
- #75 set the child display list different when a gradient is set.
- The clip property 'bufferLength' now accepts decimal values, for example bufferLength: 0.2
- #121 only load plugins and external config from the same domain as the player swf from loaded from
3.2.16
------
......
......@@ -46,7 +46,8 @@ package org.flowplayer.view {
import org.flowplayer.model.ProviderModel;
import org.flowplayer.model.State;
import org.flowplayer.util.Arrange;
import org.flowplayer.util.Log;
import org.flowplayer.util.DomainUtil;
import org.flowplayer.util.Log;
import org.flowplayer.util.TextUtil;
import org.flowplayer.util.URLUtil;
import org.flowplayer.view.Panel;
......@@ -621,7 +622,15 @@ package org.flowplayer.view {
callAndHandleError(initPhase1, PlayerError.INIT_FAILED);
} else {
ConfigParser.loadConfig(configObj.hasOwnProperty("url") ? String(configObj["url"]) : configStr, BuiltInConfig.config, function(config:Config):void {
var configUrl:String = configObj.hasOwnProperty("url") ? String(configObj["url"]) : configStr;
if (! DomainUtil.allowCodeLoading(configUrl)) {
log.error("Cannot load config from " + configUrl + ", only player's domain is accepted");
throw new Error("Cannot load config from " + configUrl + ", only player's domain is accepted");
return;
}
ConfigParser.loadConfig(configUrl, BuiltInConfig.config, function(config:Config):void {
_config = config;
callAndHandleError(initPhase1, PlayerError.INIT_FAILED);
}, new ResourceLoaderImpl(null, this), loaderInfo.url, VersionInfo.controlsVersion, VersionInfo.audioVersion);
......
......@@ -18,46 +18,42 @@
*/
package org.flowplayer.view {
import flash.display.AVM1Movie;
import com.adobe.utils.StringUtil;
import flash.display.AVM1Movie;
import flash.display.DisplayObject;
import flash.display.Loader;
import flash.display.LoaderInfo;
import flash.events.Event;
import flash.events.EventDispatcher;
import flash.events.IOErrorEvent;
import flash.events.ProgressEvent;
import flash.net.URLRequest;
import flash.system.ApplicationDomain;
import flash.system.LoaderContext;
import flash.system.Security;
import org.flowplayer.model.ErrorCode;
import org.flowplayer.model.Plugin;
import org.flowplayer.controller.NetStreamControllingStreamProvider;
import com.adobe.utils.StringUtil;
import org.flowplayer.config.ExternalInterfaceHelper;
import org.flowplayer.controller.StreamProvider;
import org.flowplayer.model.Callable;
import org.flowplayer.model.DisplayPluginModel;
import org.flowplayer.model.FontProvider;
import org.flowplayer.model.Loadable;
import org.flowplayer.model.PlayerError;
import org.flowplayer.model.PluginError;
import org.flowplayer.model.PluginEvent;
import org.flowplayer.model.PluginModel;
import org.flowplayer.model.ProviderModel;
import org.flowplayer.util.Log;
import org.flowplayer.util.URLUtil;
import flash.display.DisplayObject;
import flash.display.Loader;
import flash.display.LoaderInfo;
import flash.events.Event;
import flash.events.EventDispatcher;
import flash.events.IOErrorEvent;
import flash.events.ProgressEvent;
import flash.net.URLRequest;
import flash.system.ApplicationDomain;
import flash.system.LoaderContext;
import flash.system.SecurityDomain;
import flash.utils.Dictionary;
import flash.utils.getDefinitionByName;
import flash.utils.getQualifiedClassName;
/**
import flash.system.SecurityDomain;
import flash.utils.Dictionary;
import flash.utils.getDefinitionByName;
import flash.utils.getQualifiedClassName;
import org.flowplayer.config.ExternalInterfaceHelper;
import org.flowplayer.controller.NetStreamControllingStreamProvider;
import org.flowplayer.controller.StreamProvider;
import org.flowplayer.model.Callable;
import org.flowplayer.model.DisplayPluginModel;
import org.flowplayer.model.FontProvider;
import org.flowplayer.model.Loadable;
import org.flowplayer.model.Plugin;
import org.flowplayer.model.PluginError;
import org.flowplayer.model.PluginEvent;
import org.flowplayer.model.PluginModel;
import org.flowplayer.model.ProviderModel;
import org.flowplayer.util.DomainUtil;
import org.flowplayer.util.Log;
import org.flowplayer.util.URLUtil;
/**
* @author api
*/
public class PluginLoader extends EventDispatcher {
......@@ -162,7 +158,14 @@ import flash.system.Security;
for (var i:Number = 0; i < plugins.length; i++) {
var loadable:Loadable = Loadable(plugins[i]);
if (! loadable.isBuiltIn && loadable.url && result.indexOf(loadable.url) < 0) {
result.push(constructUrl(loadable.url));
var pluginUrl:String = constructUrl(loadable.url);
if (DomainUtil.allowCodeLoading(pluginUrl)) {
result.push(pluginUrl);
} else {
log.error("Unable to load plugin from " + loadable.url);
loadable.dispatchError(PluginError.ERROR, "Unable to load plugin from " + pluginUrl);
}
}
}
return result;
......
......@@ -18,9 +18,9 @@
id="player">
</a>
<script>
flowplayer("player", "../build/flowplayer.swf",
flowplayer("player", "../../../flash-build/build/flowplayer.swf",
{
url: "breaking-config.js"
url: "http://flash.flowplayer.org/demos/standalone/plugins/flash/config-embed.js"
});
</script>
</div>
......
......@@ -18,9 +18,9 @@
id="player">
</a>
<script>
flowplayer("player", "../build/flowplayer.swf",
flowplayer("player", "../../../flash-build/build/flowplayer.swf",
{
log: { level: 'debug', filter: 'org.flowplayer.view.Screen'},
log: { level: 'debug', filter: 'org.flowplayer.view.PluginLoader'},
key: '#$b6223bfbd646c621758',
......@@ -80,7 +80,13 @@
autoBuffering: true
// ,
// duration: 20
}
},
plugins: {
controls: {
url: "http://releases.flowplayer.org/swf/flowplayer.controls.swf"
}
}
});
......
......@@ -117,5 +117,29 @@ package org.flowplayer.util {
return domain.length;
}
public static function isLocal(url:String):Boolean {
trace("localDomain? " + url);
if (url.indexOf("http://localhost") == 0) return true;
if (url.indexOf("http://localhost:") == 0) return true;
if (url.indexOf("file://") == 0) return true;
if (url.indexOf("http://127.0.0.1") == 0) return true;
if (url.indexOf("http://") == 0) return false;
if (url.indexOf("/") == 0) return true;
return false;
}
public static function allowCodeLoading(resourceUrl:String):Boolean {
if (! URLUtil.isCompleteURLWithProtocol(resourceUrl)) return true;
var playerUrl:String = URLUtil.playerBaseUrl;
if (isLocal(playerUrl)) return true;
var playerDomain:String = parseDomain(playerUrl, true);
var resourceDomain:String = parseDomain(resourceUrl, true);
trace("player domain " + playerDomain);
trace("resource domain " + resourceDomain);
return playerDomain == resourceDomain;
}
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment