Hi We currently handle the Flash based crossdomain.xml and the upcoming Access-Control-Allow-Origin in different ways in our code. How about, instead of setting a path to a crossdomain.xml file, we allow the user to provide a list of allowed domains. That way, we can create a response to /crossdomain.xml on the fly as well as correctly set Access-Control-Allow-Origin. Also, I think we should default both of these to only allow access from the domain the BoshServlet runs on.
If this sounds good, I'll go ahead and make the changes. /niklas
