Swf Files Download Instead Of Playing
If you attempt to visit the URL of a raw SWF file, Chrome 57 refuses to display and instead asks if you want to download, with the warning 'This type of file can harm your computer'. However, if you wrap the same SWF in a simple web page with an object tag, it loads normally. The files are served with the correct 'application/x-shockwave-flash' content type.
- Swf Files Download Instead Of Playing On Iphone
- Swf Files Download Instead Of Playing Card
- How To Run Swf Files
- Flash Player Swf File
Is there any security reason why the former case should be treated differently from the latter?
Swf Files Download Instead Of Playing On Iphone
FWIW, I have Flash playback set to 'Ask first (recommended)' in chrome://settings/content
Example: http://www.sjgames.com/dice/cthulhudice/demo.html vs http://www.sjgames.com/dice/cthulhudice/img/CDdemo.swf
- Release it and it will begin to play the Shockwave Flash object automatically. If your Chrome or Firefox won't play the SWF file but download a new copy instead, it could be that: The browser doesn't have the correct Adobe Flash Player plugin installed. Try to download the latest version of a browser (Internet Explorer, Chrome, Firefox.
- How to Download SWF Files. This wikiHow teaches you how to download Flash games or videos. Flash games and videos can be downloaded as SWF files, though you will have to play around with the SWF file's website code by using your browser's.
- If the file plays correctly, you've successfully downloaded the right SWF file. (e.g., Enable/Install Flash) instead of the Click to enable Adobe Flash Player.
- SWF Once the graphic design is created from an FLA file, it is then saved into an SWF file in what is sometimes known as publication stage. SWF file is the kind you will find published on the web, shared with others. Editing and revising SWF files Editing and revising SWF files cannot be carried out without an FLA file.
- In this past week, many of the desktops at my school have stopped opening.SWF files. Many things we use are flash-based, and now instead of.
SWF Player works great for what we needed. Now we can extract the.SWF file from our favorite game websites and open them via SWF Player. Its kind of like JAR Midlets files on a cheap cellphone. Before the SWF would play when I drag and drop them into the browser, or right click and open them with Chrome. Instead, Chrome started prompting to download the SWF again — very unhelpful.
1 Answer
This behavior is apparently related to how Flash Player is a click-to-enable feature in Chrome now (Chrome Help forum discussion on this behavior). If you visit a SWF directly, it will not ask you to click-to-run, it will simply download it instead.
If you were to go to chrome://plugins/ and check 'Always allow to run' it would play the SWF as previously normal in the browser directly, without the HTML wrapper. The fact it will not prompt you to enable it does not seem to be a security decision.
Is there any security reason why the former case should be treated differently from the latter?
Swf Files Download Instead Of Playing Card
All that being said, yes, I think there would be.
Imagine there was a website, say an old forum, which allows you to upload an avatar. It is expected you will upload an image file, but the file type checking is poor, and an attacker uploads a malicious SWF file instead, to perform an XSS attack on the site admins. Now, the HTML being generated for this avatar, might look something like this:
That won't run as a SWF, so no HTML for the attacker. So instead the attacker tricks the admins into clicking a link to http://example.com/user/123/avatar.swf where the SWF does load, and that SWF performs the XSS attack as the privileged users, and PWNs the site.
How To Run Swf Files
Of course, such a risk is not unique to Flash Player. A similar attack could be performed with JavaScript inside an SVG instead of a SWF.