I'll admit it's counter-intuitive to me too... Flash Player's approach to security always has been peculiar from my point of view. I would welcome more transparency on the reasoning behind the security decisions being made. It would make it a lot easier for me to sell Flash Platform solutions if I had a ready answer to questions like "what's up with crossdomain.xml?". Every non-Flash developer I've worked with has been baffled by it.
That said, the Player team is trying to satisfy a wide variety of concerns which I would never think of. Generally speaking, I think that cross-domain policy files are meant to restrict the Flash Player's capabilities, and nothing more. Flash Player can't be responsible for all tiers of network security, only itself. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Neave Sent: Friday, July 21, 2006 2:47 PM To: Flashcoders mailing list Subject: Re: [Flashcoders] AS3, BitmapData and domain security Thanks a lot Tom, that was just what I was looking for. It looks like in Flash Player 9, if you want to load *and* manipulate an image (or even a sound) from another domain you have to be able to have access to that domain and be able to put a crossdomain policy file on that server. The weird thing is that you can load an image from any server without the need for a crossdomain policy file, but you can't use BitmapData.draw() unless you have a policy file. Also, you can load an mp3 from any other server but you can't access the mp3's id3 information without a policy file on the other server. What madness is this!? What's the reasoning behind this? Surely it can't be to do with potential 'hackers' because to get around the problem you only have to create a proxy script: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=50c96388 which any potential hacker would be able to knock up in no time. But for developers, having to create a proxy script means the data has to be redirected via your server and you have to pay for the bandwidth that uses up. I really don't understand why Flash 8 and 9 have this security feature as I don't see what extra security it provides apart from annoying developers. Paul. On 21/07/06, Tom Lee <[EMAIL PROTECTED]> wrote: > Paul, > > I believe the policy file being referred to is the crossdomain.xml file. > Here's a technote for you on the subject, in case you're not familiar: > http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_14213. > > After you get up to speed on cross-domain policy files, you'll want to check > out > http://livedocs.macromedia.com/labs/as3preview/langref/index.html?flash/syst > em/LoaderContext.html&flash/system/class-list.html > > I think the following excerpts pertains to your question: > > "When loading images (JPEG, GIF, or PNG) instead of SWF files, there is no > need to specify a SecurityDomain or an application domain, because those > concepts are meaningful only for SWF files. Instead, you have only one > decision to make: do you need programmatic access to the pixels of the > loaded image? If so, see the checkPolicyFile property." > > >From the checkPolicyFile documentation: > > "Set this flag to true when you are loading an image (JPEG, GIF, or PNG) > from outside the calling SWF file's own domain, and you expect to need > access to the content of that image from ActionScript. Examples of accessing > image content include referencing the Loader.content property to obtain a > Bitmap object, and calling the BitmapData.draw() method to obtain a copy of > the loaded image's pixels" > > Hope that helps! > > -tom > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Paul Neave > Sent: Friday, July 21, 2006 9:06 AM > To: Flashcoders > Subject: [Flashcoders] AS3, BitmapData and domain security > > Hi group, > I've only just discovered that in Flash 8 you can't .draw() a loaded > image into a BitmapData object if the image was loaded from another > domain. I've search about and found you can .draw() a SWF which uses > System.security.allowDomain but there's no way to .draw() an image > JPG, GIF, PNG etc when loaded across domains. > > This is very annoying, but apparently "...this will be fixed in FP9; > you will be able to use policy files to permit such things." said > Deneb Meketa: > http://www.kaourantin.net/2005/12/dynamically-loading-bitmaps-with.html > > Can someone explain how to use the policy file to permit .draw()ing > cross-domain in AS3/FP9? > > Thanks buckets, > Paul. > _______________________________________________ > Flashcoders@chattyfig.figleaf.com > To change your subscription options or search the archive: > http://chattyfig.figleaf.com/mailman/listinfo/flashcoders > > Brought to you by Fig Leaf Software > Premier Authorized Adobe Consulting and Training > http://www.figleaf.com > http://training.figleaf.com > > > _______________________________________________ > Flashcoders@chattyfig.figleaf.com > To change your subscription options or search the archive: > http://chattyfig.figleaf.com/mailman/listinfo/flashcoders > > Brought to you by Fig Leaf Software > Premier Authorized Adobe Consulting and Training > http://www.figleaf.com > http://training.figleaf.com > _______________________________________________ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com _______________________________________________ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
