Closed
Bug 299680
Opened 19 years ago
Closed 19 years ago
macromedia flash doesn't use firefox proxy
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: spiedon, Unassigned)
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Build Identifier: With Firefox set to use a proxy, pages with flash content can connect out from the machine without using the proxy. Reproducible: Always Steps to Reproduce: 1. Enable HTTP+s proxy 2. Visit site with flash content that makes outbound connection 3. Notice connection made between firefox and remote IP without proxy Actual Results: connection made between firefox and remote IP without proxy Expected Results: forced/allowed/instructed the plugin to use the proxy
|
||
Comment 1•19 years ago
|
||
Flash (or any plugin) is a separate binary that can do whatever it wants. Obviously if you have scriptable content like Flash or Java you hope the plugin vendor has appropriate security safeguards in place. Flash appears to offer two ways to load content, one into a browser window which will go through the browser's proxy setting, and an alternate command that makes it's own OS-level connections to the internet (with restrictions on what host you can connect to). Java applets can do the same thing, in fact direct connetions from Java applets are fairly common There is no way for the browser to police or prevent any actions that binary plugins do that bypass the browser's plugin API. Either you trust that the plugin vendor made appropriate security restrictions or you should not use it. There may be a way to specify a proxy for flash to use. If not it's possible plugin vendors need a richer API from the browser to load XML data that isn't window content (I'm just guessing it's the flash XML.load command that's bypassing the browser). Either way contact Macromedia and express your concerns, any changes in our browser API would be driven by their request for specific changes. Not a Firefox security bug.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Component: General → Plug-ins
Product: Firefox → Core
Resolution: --- → INVALID
Version: unspecified → 1.7 Branch
The same error occur in our network using NTLM Proxy. But all work fine in FF 1.0.7 when using FF 1.5 auth dialog pop up for auth info every Flash is loading. (In reply to comment #1) > Flash (or any plugin) is a separate binary that can do whatever it wants. > Obviously if you have scriptable content like Flash or Java you hope the plugin > vendor has appropriate security safeguards in place. > > Flash appears to offer two ways to load content, one into a browser window which > will go through the browser's proxy setting, and an alternate command that makes > it's own OS-level connections to the internet (with restrictions on what host > you can connect to). Java applets can do the same thing, in fact direct > connetions from Java applets are fairly common > > There is no way for the browser to police or prevent any actions that binary > plugins do that bypass the browser's plugin API. Either you trust that the > plugin vendor made appropriate security restrictions or you should not use it. > > There may be a way to specify a proxy for flash to use. If not it's possible > plugin vendors need a richer API from the browser to load XML data that isn't > window content (I'm just guessing it's the flash XML.load command that's > bypassing the browser). Either way contact Macromedia and express your concerns, > any changes in our browser API would be driven by their request for specific > changes. > > Not a Firefox security bug.
|
||
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•