Foren

AllowScriptAccess was set to “Always” .How to change it as “sameDomain"?

siva rajendran, geändert vor 8 Jahren.

AllowScriptAccess was set to “Always” .How to change it as “sameDomain"?

New Member Beiträge: 4 Beitrittsdatum: 12.07.15 Neueste Beiträge
On security appScan test i got this below security violation.

"Flash parameter AllowScriptAccess was set to always"

AppScan also recommends to set the "AllowScriptAccess" parameter to 'sameDomain' which tells the Flash Player that only SWF files loaded from the same domain as the parent SWF will have script access to the hosting web page.

and This is Fix recomendation : "Set the AllowScriptAccess parameter to 'sameDomain' which tells the Flash Player that only SWF files loaded from the same domain as the parent SWF will have script access to the hosting web page"

Am using "Liferay Portal Community Edition 6.2 CE GA2 (Newton / Build 6201 / March 20, 2014)".

where do find an option in liferay to change this to "sameDomain". Do anyone have solution approach to fix the same directly or using any workaround?
thumbnail
Olaf Kock, geändert vor 8 Jahren.

RE: AllowScriptAccess was set to “Always” .How to change it as “sameDomain"

Liferay Legend Beiträge: 6396 Beitrittsdatum: 23.09.08 Neueste Beiträge
You have started this new thread with exactly the same question as on stackoverflow, hours after I've asked you there to crossreference all your crosspostings so that we can eliminate duplicate work. And you don't think it's necessary to include a link to that site?

This is a free community help site - and stackoverflow is as well. Please be respectful of the work that everybody is doing here and there - and potentially in all the other places that you are crossposting to. Now is the time to link all your posts yourself. I might consider looking at one of the posts when you linked them yourself. Once the problem is solved in one site, there's no need to follow up on the other site.
thumbnail
Tomas Polesovsky, geändert vor 8 Jahren.

RE: AllowScriptAccess was set to “Always” .How to change it as “sameDomain"

Liferay Master Beiträge: 676 Beitrittsdatum: 13.02.09 Neueste Beiträge
Hi Siva,

please do you have more information?

What flash file is loaded with the AllowScriptAccess set to always?

In what JSP is the <param name="AllowScriptAccess" value="always"> or allowscriptaccess=always? Or is it created dynamically using JavaScript?

Is it possible to exploit this vulnerability or it's only false-positive?

Thanks.
Manish Kharkar, geändert vor 6 Jahren.

RE: AllowScriptAccess was set to “Always” .How to change it as “sameDomain"

New Member Beiträge: 24 Beitrittsdatum: 08.12.14 Neueste Beiträge
Hello Tomas, Olaf,
I got to this page while searching a resolution for the same question.
The application security scan, finds the below setting for the flash parameter allowScriptAccess
<param name="allowScriptAccess" value="always">
We were able to locate these entries in the aui and other javascript files.
Is there a way to change these to sameDomain?
I also found this link, but am not able to understand the resolution
AUI-99
Any pointers please?
Regards,
Manish.
thumbnail
Olaf Kock, geändert vor 6 Jahren.

RE: AllowScriptAccess was set to “Always” .How to change it as “sameDomain"

Liferay Legend Beiträge: 6396 Beitrittsdatum: 23.09.08 Neueste Beiträge
Manish Kharkar:
The application security scan, finds the below setting for the flash parameter...


Flash? I have the feeling that the next sequence of steps is:
Me: "Which exact version do you use?"
You: "[an ancient one]"
Me: "Please upgrade. This flash parameter is your least worry."

Am I right or wrong?
Manish Kharkar, geändert vor 6 Jahren.

RE: AllowScriptAccess was set to “Always” .How to change it as “sameDomain"

New Member Beiträge: 24 Beitrittsdatum: 08.12.14 Neueste Beiträge
Bingo.
I get the idea.
Thank you Olaf.
Regards,
Manish
thumbnail
Tomas Polesovsky, geändert vor 6 Jahren.

RE: AllowScriptAccess was set to “Always” .How to change it as “sameDomain"

Liferay Master Beiträge: 676 Beitrittsdatum: 13.02.09 Neueste Beiträge
Hi Manish,

Is there a way to change these to sameDomain?

Yes, change the JS files in your portal installation.

I also found this link, but am not able to understand the resolution

They said that AUI JIRA project is not to report vulnerabilities.

Related to the actual vulnerability - if I remember correctly this was brought up years ago and the result from the frontend team was that this code is not used by portal so it's false-positive ... cannot be exploited.

But if have any concerns feel free to change the JS files code, it's not used anyway.

Thanks.
Manish Kharkar, geändert vor 6 Jahren.

RE: AllowScriptAccess was set to “Always” .How to change it as “sameDomain"

New Member Beiträge: 24 Beitrittsdatum: 08.12.14 Neueste Beiträge
Thank you Tomas.
Regards,
Manish