Security is often at odds with usability. Adobe Flash began addressing this problem several releases ago by implementing and standardizing on a cross-domain security model that has evolved over the years into a robust, secure solution. By providing controls for who may receive data from whom, Adobe Flash can power rich Internet applications that are safe and extremely flexible.
An excellent explanation of the cross-domain security model can be found here
Enhanced Security and the Desktop
As Adobe Acrobat and Reader became more powerful over the years (i.e. support for JavaScript and Web Service interaction), the line between document and application gradually became more blurred, and Adobe began to leverage the Flash security model where appropriate. One such area is in Acrobat and Reader 9, with cross-domain security functionality. Since many users save PDFs to their desktop or open PDFs that are email attachments we needed to add desktop domains to Acrobat and Reader.
Acrobat and Reader 9 provide a method for a user or a system administrator to increase the privileges of chosen files, folders, and hosts by specifying them as privileged locations. Files in these privileged locations are exempted from certain security policies and therefore, for example, can be exempt from cross-domain security. The locations can be set by the user through the UI (Preferences dialog), or by a system administrator using Adobe Customization Wizard to specify installer settings prior to enterprise-wide deployment.
The three choices for privileged locations are:
Files — A file is defined by a path, so its security settings will be invalid if that file is moved. The difference between privileged PDF files and folders is the number of files. If a user has a large number of files they know they can trust, it may be more practical to put them all in one privileged PDF folder. Conversely, a user may use privileged PDF files if they have many PDFs in a single folder but only want to trust two of them.
Folders — Privileged PDF folders are similar to privileged PDF files except that all files in a specified folder (but not in sub-folders) have the same privileges.
Host — A privileged PDF site is appropriate for PDFs that can be opened in a browser from a Web server. A privileged PDF host can only be specified at the host name level; for example, www.adobe.com can be specified, but not www.adobe.com/products/. The specified host must be complete with no wild cards (unlike for crossdomain.xml files). The user will have the option to only specify that the host connection must be secure, for example, that it must be an https: connection. All
PDFs on the specified host will all have the same privileged PDF settings.
Using privileged locations, the user can bypass the security restrictions on the following, which would otherwise be in effect:
•Cross-domain data access
•Silent printing
•External streams access
•Document JavaScript sending data to a remote server
•FDF data injection
•FDF script injection
•Data taint: when data is downloaded from multiple hosts and then sent to another host
Note: This information was extracted from a draft version of the “Enhanced Security in Adobe Acrobat 9 and Adobe Reader 9” White Paper which will be published shortly and includes many more important details than this posting. I’ll supply a link to it when that document becomes final.
Leave a comment