TechNote

How to avoid the security dialog when using getNetText and linked media

Why do security alert messages appear when using getNetText?
When a getNetText command is issued to a Web site other than the one the Shockwave piece resides on, a security alert appears. The dialog box asks if the user wants to proceed. This alert also appears when issuing a command to access linked media. How is getting text or linked media a security violation? How do I get rid of this alert box and still retain security? The purpose of this TechNote is to discuss the logic behind security messages and why they are necessary.

Why are the security messages necessary?
The security box that pops up is not designed as a warning for your day-to-day average Shockwave user. Instead, it is designed for users behind a firewall who may have access to sensitive information on private servers.

Consider the following scenario:

You work for a company called MyCompany.com. Since you are an employee, you are behind the firewall and have access to all the servers in your company, including private ones. You surf to a site called JoePublic.com which has a Shockwave movie. The movie then issues a getNetText to MyCompany's private internal server at http://private.mycompany.com and pulls down sensitive material from that private server behind your firewall. Then the movie issues a getNetText to a CGI script on JoePublic's server sending the info back to them.

What if the user is behind a firewall? How can the Shockwave piece get access to the private servers?
The very fact that the user is behind the firewall is what allows Shockwave to access the same servers. Remember, the plug-in is on the local machine so if you are behind the firewall, so is the player. If someone knows the names of files and servers, they can potentially download information from them.

How does this apply to users that are not linking to servers behind firewalls or corporate servers? The desired functionality is to simply download statistics or data from a search engine or some other public site. Why would there be any security issues involved?
A URL is a URL. Shockwave does not know the difference between what is private and what isn't. As a safeguard, the security alert will appear anytime Shockwave tries to access information beyond the server it resides on.

Is it possible to get rid of the dialog box, yet still retain security?
This can be accomplished by having the Shockwave movie getNetText to a CGI script residing on the same server. The CGI script acts as a go-between, by connecting to the site you wish to grab the text from. Since the CGI script is outside of any firewall, it won't be able to access any sensitive information behind firewalls. But it will successfully pull the text from the public site you have selected, without prompting the user with any security dialogs.

What are the necessary steps to incorporate a CGI script into my piece?
First, you must have CGI rights to the server. Contact your Web administrator to set this up.

Next, copy and paste the following script into a new text file named Proxy.cgi.

 #!/usr/local/bin/perl $configFile = "./proxy.cfg"; $query = $ENV{'QUERY_STRING'}; # Read the configuration file open(CONFIG,"$configFile") || die "Content-type: text/plain\n\nError opening config file\n"; while (CONFIG) {   next if /^#/;   ($keyword, $url) = split(/\t/,$_);   if ("$keyword" eq "$query") { $remoteURL = $url; } } close(CONFIG); die "Content-type: text/plain\n\nNo match in config file\n" unless $remoteURL; use Socket; chop($localhost=`uname -n`); $sock_addr="S n a4 x8"; $protocol=(getprotobyname('tcp'))[2]; $local_addr=(gethostbyname($localhost ))[4]; $local=pack($sock_addr,AF_INET,0,$local_addr); $|=1; if ($remoteURL =~ m#http://([^\s/]+)/?([^\s]*)#i) {  $remote_host = "$1";  $remote_path = "/$2";  if ($remote_host =~ s/:([0-9]+)$//) {  $remote_port = "$1";  } else {   $remote_port ="80";  }  $remote_port = "80" if ($remote_port !~ /[0-9]+/);  $remote_addr = (gethostbyname($remote_host))[4];  if ($remote_addr) {   $remote = pack($sock_addr,AF_INET,$remote_port,$remote_addr);   if (socket(SOCK,AF_INET,SOCK_STREAM,$protocol)) {     if (bind(SOCK,$local)) {       if (connect(SOCK,$remote)) {   select(SOCK);    $|=1;  print "GET $remote_path HTTP/1.0\cM\n\cm\n";  @remote_data= (SOCK);    close(SOCK);  select(STDOUT);       } else {  $msg="Could not connect: $!";       }     } else {       $MSG="Local socket failure";     }  } else {     $MSG="Socket failure: $!";   }  } else {   $MSG="Host lookup failed";  } } else {  $MSG="Invalid URL"; } if ($MSG) {  print "Content-type: text/plain\n\nError: $MSG\n"; } else {  $header = "yes";  foreach $line (@remote_data) {   if ($header eq "no") { print "$line" };   if ($header eq "yes"&& $line =~ /^Content-type: /i) {    print "$line\n";   }   if ($line=~ /^\s+$/o) { $header = "no" };  } }

Next, copy the following code into a new text file namedProxy.cfg.

 # This is proxy.cfg, the config file for proxy.cgi. # It ignores lines that start with #, like this one. # # Lines must be formatted with a number or keyword to begin the line # followed by a tab, and then a valid URL. # # The first field starts with "forcecache," followed with the keyword. # forcecache,glenn  http://www.cedub.com/media/glenn.txt forcecache,glem  http://www.cedub.com/media/glem.gif forcecache,boom  http://www.cedub.com/media/boom_award.gif forcecache,catch  http://www.cedub.com/media/mike-catch.jpg

Use "forcecache" when working with linked media since Shockwave calls to CGI script are not cached by default. This will force the files to be cached. The files must be readily available for the movie to use them with lingo commands such as ImportFileInto. If you are using getNetText, this command is optional. If you do not want the data cached, then replace "forcecache" with"dontcache". This parameter can be useful if you specifically want to prevent the data from cacheing. This can be useful for data that should be continually fetched from the server's CGI, such as stock quotes or game scores that will be updated frequently.

Final steps

1	Place both the Proxy.cgi and Proxy.cfg into your cgi-bin folder on the same server as your Shockwave piece. Make sure your scripts and director movie are all on the same server.
2	Set the CGI script to executable.
3	Pay attention to the entries in the config file. They must follow this syntax: forcecache,Glenn<tab>http://www.cedub.com/media/glenn.txt
4	InProxy.cfg, replace the sample URLs with the URLs that you want to use in the "forcecache" lines.
5	In your Director movie, make the getNetText call as follows: getNetText "http://www.mydomain.com/~mydirectory/bin/proxy.cgi?forcecache,Glenn" Make sure the URL you are referencing is the actual URL to the proxy.cgi on your server and that the forcecache or dontcache parameter matches that in your proxy.cfg.