Copy link to clipboard
Copied
Hello,
We want to deploy these flash-player-settings (edit/add: using flash player 30 on Win7 and/or Win10 with Internet Explorer 11 or Firefox 61😞
So we created a mms.cfg-file, containing these lines:
AVHardwareDisable=1
AVHardwareEnabledDomain=conference.intern
FileDownloadDisable=1
FileDownloadEnabledDomain=conference.intern
LocalStorageLimit=5
This file is ANSI-coded (since this is the format the FlashPlayerApp.exe uses if you meddle with the update-settings) and located in C:\Windows\SysWOW64\Macromed\Flash.
We created the mms-lines using the info from https://www.adobe.com/content/dam/acom/en/devnet/flashplayer/articles/flash_player_admin_guide/pdf/f....
The mms-cfg-lines concerning AVHardware seem to work, the lines concerning FileDownload don't.
What are we doing wrong? How can we prevent flash from asking users, if they want to allow websites to use the local storage?
Best regards,
Alex
Copy link to clipboard
Copied
There are no per-domain options for Flash Player's Local Shared Objects. You're limited to global controls.
I'm curious about what you're trying to guard against by restricting LSOs. In terms of ads and behavior-tracking, HTML5 and server-side tracking have largely supplanted Flash Player as the preferred method for tracking user habits. Disabling LSOs in Flash doesn't really buy you meaningful privacy at this point.
Copy link to clipboard
Copied
Hello and thank you for your answer.
So, you're saying:
FileDownloadDisable=1
FileDownloadEnabledDomain=test.mydomain.com
FileDownloadEnabledDomain=10.1.1.10
What I'm trying to archive (as admin) is, to control the usage of the local storage.
Example:
A user visits a public site. This site should not be allowed, to use the local storage (e.g. in order to store Flash-Cookies).
A user visits an internal site. This site should be allowed, to use the local storage.
In both cases, the user should not be asked/prompted.
Instead, I want to generally disable the use of the local storage, with the exceptions of our internal sites.
The admin-guide describes exactly this scenario with the three lines mentioned above.
Since the user can control these settings (first he is prompted to allow/deny, furthermore he can adjust these settings using the flashplayerapp.exe), there must be a way for network-administrators to control these settings as well!
description: on public sites, the use of the local storage should be denied, but without prompting the user!
description: on internal sites, the use of the local storage should be allowed, but without prompting the user!
I can't administrate all my computers using Adobe - Flash Player: Einstellungsmanager - Website-Speichereinstellungen!
Best regards,
Alex
Copy link to clipboard
Copied
You're misinterpreting the description of the FileDownload* flags in the admin guide.
From the admin guide, pp. 32:
FileDownloadDisable - Lets you prevent the ActionScript FileReference API from performing file downloads.
This is talking about actual file downloads, not local stored objects. So you're just disabling the ability for Flash Player to pop a "Save File" prompt on these machines.
You're correct in the observation that at this point, the only controls are available on individual clients. You can disable LocalSharedObjects globally at an administrative level, but there's no per-domain whitelist option. It's not a bad suggestion (I'd still posit that the reasoning for disabling Local Shared Objects is largely superstition and doesn't result in an actual improvement in privacy in the context of the web in 2018), but it doesn't exist at this point. It's probably also worth pointing out that whenever the user deletes their browser cookies, Flash Player purges it's Local Shared Objects store, and we honor Private/Incognito Browsing Mode.
Copy link to clipboard
Copied
Hello and thanks again!
I got that and understand what you are saying.
One final question: is there any way I can suppress the user prompt (shown in the pictures in my last response)?
We have a conference-system, and it is kind of annoying, that every user gets this prompt every day.
Best regards,
Alex
Copy link to clipboard
Copied
Try the following options. I'm guessing that one of them will work.
Either they've architected their application to load a child SWF from another domain, and *that* SWF is trying to store data, or they're exceeding the storage limits that you've permitted. I'm guessing it's the ThirdPartyStorage flag, and that the way they've architected the service, they load a child SWF from another domain, and that's what is storing the data locally. Unless you explicitly permit or deny ThirdPartyStorage via mms.cfg (both of which suppress that prompt), we'll default to prompting the user on each access.
If ThirdPartyStorage=1 works, then you might think about the fact that when we talk about domain in this context, we're talking about canonical hostname. When making decisions about security context, foo.yourdomain.com (whose IP is 192.168.1.100) is not the same domain as accessing either bar.yourdomain.com, or 192.168.1.100. If all of the content is on the same host, but you've configured it to access that host in an inconsistent way, that would cause us to (correctly) treat accesses that don't match the hostname originally requested as third-party requests.
If you continue to get prompted with one or both of these flags set, then I'll probably need to know a lot more about how the conferencing system actually works. At that point, it might be easier to get the conferencing provider involved (especially if they can point us to a URL that reproduces the issue). They're welcome to private message me (just click my name) to get an engineering-level conversation started.
Copy link to clipboard
Copied
Hi,
sorry, did not work.
I added both lines - there's still that prompt.
I don't think, that there is a third party involved, since the prompt clearly names the name of my conference-website (which is a local Linux-server). So the URL and the name in the prompt are identical. Also, if I click "allow", the flashplayerapp.exe shows an entry, in which the name (again) is identical to the URL.
Let's say, my URL is http://conference/, then the prompt ask, if conference can use the local storage. If I click yes, the flashplayerapp.exe shows that conference is allowed to use the local storage. This doesn't look like third party to me.
I can use an IP-address instead, no difference. Let's say my site was http://192.168.1.10, then the prompt asks for 192.168.1.10 an the flashplayerapp.exe shows an entry for this site. By the way, my client-computer is in the same subnet.
So: a user can add conference using the flashplayerapp.exe in order to prevent a prompt. I really would like to deploy this setting.
Another question:
I am using these lines for camera-restrictions:
Starting the conference via http://conference worked fine without a prompt if the site should be allowed to use the camera. Starting the conference via http://192.168.1.10 got me a prompt (if the site should be allowed to use the camera).
How do I add more than one entry?
One line for each entry (looks like it in the admin-guide)?
Or comma-separated?
Best Regards,
Alex
Copy link to clipboard
Copied
Sorry, but this really isn't working at all.
Here is my mms.cfg.
The only settings that work, are the update-settings.
Though AVHardwareDisable is set true (1), I get a user prompt if the website conference should be allowed to access the webcam. So as admin, I forbid it, but my users can do it anyway!
Though AVHardwareEnabledDomain=conference is set, I get a user prompt for exactly this website (access webcam).
The FlashPlayerApp.exe displays the camera-options as disabled (greyed out), tooltip says, access to webcam/microphone is forbidden via mms.cfg. But the disabled options show, that "ask if website wants access" is checked!
By the way: there is no way to check, if there are exceptions for websites, which is not useful at all.
All the storage-options don't seem to do anything.
I get a user prompt, asking if I want to allow the website conference to store information on my computer. If I click allow, an entry is created, which is shown via FlashPlayerApp.exe (Storage, ask before websites can store information on my computer, settings per website: conference - ask (or allow)).
----------------------------------------
SUMMARY:
ACTUAL SETTINGS using just the mms.cfg
Storage: ask before allowing websites to store information on this computer
settings per website: empty
Camera and microphone: ask, before allowing websites to access to camera and microphone - but both options are greyed out. Popup-text says: access to camera and microphone is forbidden (mentions mms.cfg). One cannot see, if there are exceptions for websites
Peer-Assisted-Networking: Ask...
settings per website: empty
Updates: Never check for updates [this is the only mms-setting, that actually works; we deploy updates ourselves]
----------------------------------------
SETTINGS AFTER MANUALLY ALLOWING (PROMPT)
Storage: ask before allowing websites to store information on this computer
settings per website: conference - allow
Camera and microphone: ask, before allowing websites to access to camera and microphone but both options are greyed out. Popup-text says: access to camera and microphone is forbidden (mentions mms.cfg). One cannot see, if there are exceptions for websites
Detail: Though conference is added in mms.cfg and though access should be denied, flash shows a user-prompt; so the user can allow conference to access the camera.
Peer-Assisted-Networking: Ask...
Settings per Website: conference - ask
Updates: Never check for updates
----------------------------------------
WANTED SETTINGS (all of which can be edited by the user via FlashPlayerApp.exe, but not deployed by admins?)
Storage: prevent websites from storing information on this computer
settings per website (exceptions):
conference - allow
192.168.1.10 - allow
IF NOT POSSIBLE
Storage: ask before allowing websites to store information on this computer
settings per website:
conference - allow
192.168.1.10 - allow
Camera and microphone: deny all websites access to camera and microphone
exceptions for conference an 192.168.1.10 only
Peer-Assisted-Networking: Prevent...
Updates:Never check for updates
----------------------------------------
For each setting a user can choose, there should be a possibility to deploy this!
If the mms doesn't work, why doesn't the flashplayerapp.exe WRITE the mms.cfg, when started as administrator? It works for the update-settings, but unfortunately not for the rest.
Copy link to clipboard
Copied
Nevermind, I found the platform information.
For the flags that actually exist, it sounds like you're doing the right things to enable them. I'll do some testing and see what I can confirm.
For the behaviors that you want that we don't have flags for, I can file enhancement requests (they're not unreasonable requests), but they'll go on the product backlog, and it will be at least a few months before they would ship.
Any chance this conferencing product has a demo that I can install locally?
Also, have you considered using a purely HTML5/WebRTC-based solution? Flash Player is EOL at the end of 2020, and browser restrictions on Flash Player will simply continue to make it harder to actually run Flash Player between now and then as the browsers continue to add new restrictions on Flash Player execution.
Copy link to clipboard
Copied
Hello,
the conference-system is Apache OpenMeetings. As far as I can tell they're working on HTML5-support. But that can take some time. It is open source, so you can install it anytime. We use it on a Linux-server, so you would have to do some scripting and compiling, if you wanted to clone our environment.
I know, that there will be more browser-restrictions in the future. But right now, my problem is neither the browser, nor the conference-system. My problem is Flash-administration.
Best Regards,
Alex
Copy link to clipboard
Copied
thanks