By domain locking (or site locking), we are restricting the SWF to be run only from a certain domain, ie the SWF should execute normally only if it has been viewed from a certain domain. If it is loaded from other domains, the SWF should execute in an alternative manner – perhaps not run at all, or run with limited features (as the developer deems appropriate). This is usually done to prevent unauthorized re-distributions of SWF files.
Which SWF URL?
We can get the URL of a SWF by checking the url property of the LoaderInfo object of the main document class:
var swfURL:String = loaderInfo.url;
However, for the purpose of domain locking, we would want to look at the loaderURL property instead:
var ldrURL:String = loaderInfo.loaderURL;
This is because your SWF can be loaded via a Loader object in another SWF, possibly from another domain. In this case, the url property still reports the URL of your SWF file (since it is still being loaded/leeched from the original location) but the loaderURL property will not be the same.
For a SWF that is loaded directly, both the url and loaderURL properties report the same value.
What About HTML Page URL?
It is possible that your SWF may be loaded directly from an allowed domain, and yet viewed within another unauthorized domain. This can happen if a HTML page from a different domain embeds your SWF object directly. If you wish to know the URL of the HTML page containing the SWF, you need to use the flash.external.ExternalInterface class:
import flash.external.ExternalInterface;
var htmlURL:String;
if (ExternalInterface.available)
{
htmlURL = ExternalInterface.call("window.location.href.toString");
}
That will give you the URL of the HTML page containing the loaded SWF, which you can test against when domain locking SWFs.
However, this depends on ExternalInterface to be available, which means it will only work with the following browsers:
* IE 5.0 and later
* Firefox 1.0 and later
* Mozilla 1.7.5 and later
* Netscape 8.0 and later
* Safari 1.3 and later
* any other browser that supports the NPRuntime interface.
Where ExternalInterface is unavailable, you should fall back to checking against the loaderURL.
import flash.external.ExternalInterface;
var url:String;
if (ExternalInterface.available)
{
url = ExternalInterface.call("window.location.href.toString");
}
else
{
url = loaderInfo.loaderURL;
}
You may also, if you wish, assume that if ExternalInterface is not available, then your SWF is being viewed under the wrong conditions and therefore it should not continue running. If you decide to go this (rather extreme) route, do consider showing a message to let the end-users know why, possibly telling them where they should go to view your application and which browsers they can use.
On the other hand, it is also possible that you may not want to test against the HTML page URL for domain locking purposes at all. Perhaps you want to allow other websites to show your SWF as long as the SWF is loaded from your server. For example, this can be the case if you have a widget that you want other websites to use but do not want the SWF to be re-distributed outside your domain. In such cases, knowing the HTML page URL is nevertheless useful for other reasons, such as tracking sites displaying your SWF.
Ultimately, which URL you should test against depends on the needs of your application.
Domain Locking – Single Domain
Once you get the proper URL to check against, your code can test to see if it is “qualified”. If it doesn’t match a pre-defined criteria, you would abort the rest of your application code, or run the application with limited features.
Here is the code you can use:
var allowedDomain:String = "www.ghostwire.com";
var allowedPattern:String = "^http(|s)://"+allowedDomain+"/";
var domainCheck:RegExp = new RegExp(allowedPattern,"i");
if (!domainCheck.test(url))
{
// domain check failed, abort application
stop();
// abort();
}
else
{
// domain okay, proceed
}
allowedDomain specifies the allowed domain
allowedPattern is the regular expression pattern that would be used – basically it says (i) the URL must start with “http://” or “https://”, (ii) followed by the allowed domain, (iii) followed by a slash “/” immediately after the domain name.
If you don’t expect your SWF to ever run via secured http, then the pattern can be “http://”+allowedDomain+”/”
Likewise if you expect your SWF to always run via secured http, then change the pattern to “https://”+allowedDomain+”/”
domainCheck is the RegExp object with pattern set to allowedPattern and using ignoreCase flag “i”.
domainCheck.test(url) returns true if the url contains the allowed domain name at the correct position in the string, false otherwise.
Domain Locking – Multiple Domains
What if we want to allow multiple domain names? With a little tweak to the regular expression, we can specify multiple domains using “|” as delimiter, as shown below:
var allowedDomains:String = "ghostwire.com|somewhere.net|elsewhere.org";
var allowedPattern:String = "^http(|s)://("+allowedDomains+")/";
var domainCheck:RegExp = new RegExp(allowedPattern,"i");
if (!domainCheck.test(url))
{
// domain check failed, abort application
stop();
// abort();
}
else
{
// domain okay, proceed
}
allowedDomains specifies one or more domain names to allow, with each domain name separated by alternator “|”.
allowedPattern has been changed to support the group of domain names.
This code works with single domain too.
Wild Cards
You can use regular expression wild cards when specifying allowedDomains:
var allowedDomains:String = ".*ghostwire.com";
// ghostwire.com and all subdomains
Likewise for multiple domains:
var allowedDomains:String = ".*ghostwire.com|.*somewhere.net|onlyhere.org";
// ghostwire.com and subdomains
// somewhere.net and subdomains
// onlyhere.org but none of its subdomains
There is no typo in the above – the dot (.) says match any character and the star (*) says zero or more matches.
Getting Domain Name
Let’s say you have allowed multiple domain names to run the SWF, but you would like to know which domain the SWF is loaded from. Perhaps your application may run with additional features if it is loaded from a certain domain. Whatever the reason may be, you can do so with the code below:
var allowedDomains:String = "ghostwire.com|somewhere.net|elsewhere.org";
var allowedPattern:String = "^http(|s)://(?P<name>"+allowedDomains+")/";
var domainCheck:RegExp = new RegExp(allowedPattern,"i");
var domainCheckResult:Object = domainCheck.exec(url);
if (domainCheckResult == null)
{
// domain check failed, abort application
stop();
// abort();
}
else
{
// domain okay, proceed
trace(domainCheckResult.name) // the domain name
// trace(domainCheckResult.name.toLowerCase()) // in lower case
}
We have used a named group in the regular expression for easy access to the matched domain name. This is done using (?P and ) to define the named group.
We use domainCheck.exec(url) instead of domainCheck.test(url) here.
Preventing SWFs From Running Locally
Because the pattern checks the URL to see if it starts with “http://” or “https://”, by domain locking you would also prevent the SWF from running locally (the URL will start with “file:///”).
If no domain locking is intended (ie, you want your SWF to be freely distributed and run online) but not run locally, you can use the following code:
var domainCheck:RegExp = new RegExp("^http(|s)://");
if (!domainCheck.test(url))
{
// domain check failed, abort application
stop();
// abort();
}
else
{
// domain okay, proceed
}
For other alternatives, see the post “Preventing SWFs From Running Locally”.
分享到:
相关推荐
What is Locking? Unfortunately, a unique, rigorous definition of locking does not seem to exist. From a most simple an general point of view one could state that Locking means the effect of a ...
Biased Locking in HotSpot
C++ and the Perils of Double-Checked Locking 关于单例模式C++实现的一些问题
Mode-locking of a terahertz laser by direct phase synchronization
深入理解linux内核中的锁机制,驱动编写必须要重视的问题
Sybase数据库性能优化:锁 Sybase Performance and Tuning:locking.pdf
USB Type-C Locking Connector Specification
C++ and the Perils of Double Checked Locking.zip
本资源是《Expert SQL Server Transactions and Locking》一书的源码。有需要的可以下载。
C语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言头文件 LOCKINGC语言...
NULL 博文链接:https://huanyue.iteye.com/blog/2047294
Oracle Database Transactions and Locking Revealed provides much-needed information for building scalable, high-concurrency applications and deploy them against the Oracle Database. Read this short, ...
详细叙述了ORACLE数据事务处理的实现机制、
该书比较系统的介绍了在linux内核编程中锁定使用方法,特别适合对linux内核开发感兴趣的读者。
MySQL Metadata Locking
Master SQL Server’s Concurrency Model so you can implement high-throughput systems that deliver transactional consistency to your application customers. This book explains how to troubleshoot and ...
Locking.one
锁机制的论文,在jdk1.6以后引入的偏向锁技术大大增加了以往重锁sychronized的性能
Laravel开发-laravel-locking 提供锁定机制
\Locking Key Ranges with Unbundled Transaction Services