And, I've also discovered that Flex is more forgiving. I can pull in content from another domain without said crossdomain.xml by
using a HTTPService component.
That's not correct.
Doesn't matter if it's Flex or Flash. It's the Flash Player that enforces
security, not the tool that created the swf.
Different rules apply to different swf versions, so if Flex compiles to fp9 and Flash CS4 compiles to fp10, you may see different
results.
Even minor revisions may show different results (e.g. 9.0.45 vs 9.0.124).
But why on earth is that so? I mean, the same file can easily be read by an ordinary browser!? What on earth could i concoct with
my devious, malignant Flash application with the same file?
Well, it's not about what your intensions are, they may be all good,
but not everyone has those same good intensions :)
Think about banner ads that are displayed *wherever*.
Do you really want those to be able to read/load/execute anything they feel
like from your site/server?
There's quite alot of info on the Adobe site regarding security:
http://www.adobe.com/devnet/flashplayer/security.html
http://www.adobe.com/devnet/security/
http://www.adobe.com/products/flashplayer/security/
regards,
Muzak
----- Original Message -----
From: "Johan Nyberg" <johan.nyb...@webguidepartner.com>
To: <flashcoders@chattyfig.figleaf.com>
Sent: Tuesday, March 31, 2009 2:17 PM
Subject: [Flashcoders] Cross-domain policy - why is Flex more forgiving
thanFlash?
I'm getting tired of Flash's unforgiving cross-domain policy. Why can't I read an xml-feed, content produced by a php file or a
simple text file without Flash wagging that finger in my face saying "No, no, you can't, not without that site allowing your site
access in the crossdomain.xml".
But why on earth is that so? I mean, the same file can easily be read by an ordinary browser!? What on earth could i concoct with
my devious, malignant Flash application with the same file?
And, I've also discovered that Flex is more forgiving. I can pull in content from another domain without said crossdomain.xml by
using a HTTPService component.
I would greatly appreciate if anyone could shed some light on this. And, if
anyone can point out if I'm doing anything wrong here.
But please don't tell me to get my domain name into that other servers cross-domain policy file. There are many situations where
this is not possible, and where it would still be legitimate to read content from that site.
And, as I said before, the browser doesn't need that permission. Nor does Flex,
apparently.
Regards,
--
Johan Nyberg
Web Guide Partner
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
