000018280 - Technical Information: Flash Shared object outputs token to a servlet  not JavaScript

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018280
Applies ToAdaptive Authentication
IssueTechnical Information: Flash Shared object outputs token to a servlet, not JavaScript
When the flash movie is played in the browser, it outputs the token to a servlet that in turn puts it in the session for later packaging with the rest of the device info to create device request. Customers have requested that tokens get passed from the Flash Shared Object straight to JavaScript for use by them in http requests. The reason for this request is to eliminate the need for the session state on the server (the coder can send itself when its needed).
CauseActionScript functions and objects within a Flash movie are not accessible from web browser JavaScript. ActionScript can, however, invoke browser JS functions. This means that FSO movie can pass the FSO device token to a browser JS function instead of passing it to FSO servlet. The main problem with this implementation is that flash shared objects (FSO) are "bound to the domain the movie was served from", not the page hosting the movie. So if the movie is embedded within a hacker?s page, it will divulge device ID to JS function on that page which can then be forward to the hacker?s site silently using page redirect or XmlHttpRequest.
ResolutionThis is a security feature.
Legacy Article IDa31607