infos: How does Ruffle handle Flashcookies - Data Protection - External Calls

[desertking]

Hello,

I wonder how does Ruffle handle the flash cookies and the storage. I mean old flashgames used this to save game progress and data etc. Does Ruffle write this into the HTML Storage?

Also the more important question. Many games have some kind of statistics integrated or like CPMStar or other ad companies. How can we ensure to protect the data from those games base on user decisions?

I mean flash had something like "internal" only to stop external calls and fishy sites. Especially many of these old games have intros / old developer sites that does not exist anymore and sometimes lead to those fishy adware "you are the 1 of 1.000.000 winner" sites etc. So I hope you have that in mind and will offer some solutions soon to have config options on how to handle those cookies/storage and how to prevent external calls without acknowledgment.

Best Regards

[Herschel]

Because Ruffle on the web is Javascript and WebAssembly, it is subject to the security restrictions in web browsers.

Ruffle writes Flash save data into Local Storage. Local Storage is stored client-side and not on the server. However, Flash content could send the data to a server via an HTTP request (see below). Storage in Flash happens through the use of SharedObject.

Ruffle attempts to make network requests that the original Flash content makes. However, it is subject to the CORS restrictions, and thus cannot make calls to external domains unless that domain allows it via the proper CORS headers. Network requests in Flash happen due to getURL, loadVars, LoadVariables, XML, Loader, URLLoader, XMLSocket, etc.

For JavaScript calls, Ruffle respects the allowScriptAccess setting. When using the polyfill, this uses the allowScriptAccess attribute from the HTML embed, the same as Flash. This defaults to samedomain, allowing calls if the SWF is hosted in the same domain. When using the JS API, Ruffle currently defaults allowScriptAccess to never allow JS calls. JavaScript calls happen in Flash through the use of ExternalInterface, fscommand, and getURL.

All of the above applies to the web player.

I would like to add options to explicitly disable the above, both from the user side and from the host side, and I'd welcome feature request issues about disabling SharedObject and network requests.

[desertking]

I understand it a little better now. But basically the HTTP-Calls causes the problems. For example it is allowed to call ngads.com and cpmstar.com which will drop cookies and make "profiles" or take "statistics" and fill the ad slots. This is a problem with the European Data Protection if there is no option to stop it. So in a "best world" you have some option to allow or disallow external http calls or at least stop the third party cookies from those http calls.

And for the abusive sites that can be clicked there should be an option to block them like flash did: allowNetworking="internal". Of course it caused the problem that sponsors back then didn't get their "clicks" but on the other side there are more dead domains and sponsors than ever and I found some games already with those spammy adware/malware.

[desertking]

any plans or updates on this so far :) ? Still looking for a ruffle way to disallow external traffic calls via ruffle

[dginovker]

Follow-up on security questions:

Can .swf files hosted on a webpage access cookies? I.e. if Github.com has MySwf.swf, can MySwf.swf grab my Github cookies?

Many thanks!

[n0samu]

That would only be possible if allowScriptAccess is enabled as Mike explained above. If an SWF is allowed to execute JavaScript it could theoretically read your cookies.
(Edited my answer to reference Mike's since his explanation is more accurate)

[Croworbit]

here is save locations should anyone in the future find this discussion when looking for save data, but this is from the discord faq (of course discord is a terrible place to put information that everyone needs, but eh)

Linux:   /home/<username>/.local/share/ruffle

macOS: /Users/<username>/Library/Application Support/ruffle

Note: Depending on the level of trust your device attributes to the download, this can be the physical directory or the virtual/sandboxed version of it.
example:
/Users/<username>/Library/Containers/rs.ruffle.ruffle/Data/Library/Application\ Support/ruffle/`


Windows: C:\Users\<username>\AppData\Local\Ruffle

In this directory, you will find log files, a preferences.toml  configuration file if you have any settings customized, as well as shared object library (save) data. ```