Re: [Flashcoders] Cross-domain policy - why is Flex more forgiving thanFlash?

[Glen Pike]

I would agree with John too - If it's up there, it's public - I guess 
that's the point.

The crossdomain policy thing bugs me a great deal, especially when I 
have to implement the "response" in each program running on a port I 
want to connect to.   For "files": I know what file I want to load from 
somewhere - I programmed it into the Flash myself.  So why do I have to 
jump through hoops to get to it?  For passive content - XML / Images / 
Movies, I would expect that if I know the URL of something I can load 
it.  If that server wants to stop me, then it's upto that server.  I get 
the point for non-passive content with XSS, etc, but it seems that the 
policies are way of solving something that is an issue somewhere else 
that then makes it extremely difficult for normal people - maybe I just 
don't get it totally :)

If a banner ad reads something on my server - so what?  Sureley it's up 
to me as the sysadmin to make sure of the access control / permissions 
for my data, not Flash Player's to stick a big plaster (Band Aid) over 
security holes left by my bad programming.

Now which is your favourite editor :)

Meinte van't Kruis wrote:
Still, I agree with John, on the XML part. If everybody and everything can
read an XML on a random server, why can't Flash, it doesn't make any sense.

On Tue, Mar 31, 2009 at 5:33 PM, Muzak <p.ginnebe...@telenet.be> wrote:

  
And, I've also discovered that Flex is more forgiving. I can pull in
    
content from another domain without said crossdomain.xml by using a
HTTPService component.

      
That's not correct.
Doesn't matter if it's Flex or Flash. It's the Flash Player that enforces
security, not the tool that created the swf.
Different rules apply to different swf versions, so if Flex compiles to fp9
and Flash CS4 compiles to fp10, you may see different results.
Even minor revisions may show different results (e.g. 9.0.45 vs 9.0.124).

 But why on earth is that so? I mean, the same file can easily be read by
    
an ordinary browser!? What on earth could i concoct with my devious,
malignant Flash application with the same file?

      
Well, it's not about what your intensions are, they may be all good,
but not everyone has those same good intensions :)

Think about banner ads that are displayed *wherever*.
Do you really want those to be able to read/load/execute anything they feel
like from your site/server?

There's quite alot of info on the Adobe site regarding security:
http://www.adobe.com/devnet/flashplayer/security.html
http://www.adobe.com/devnet/security/
http://www.adobe.com/products/flashplayer/security/

regards,
Muzak

----- Original Message ----- From: "Johan Nyberg" <
johan.nyb...@webguidepartner.com>
To: <flashcoders@chattyfig.figleaf.com>
Sent: Tuesday, March 31, 2009 2:17 PM
Subject: [Flashcoders] Cross-domain policy - why is Flex more forgiving
thanFlash?


 I'm getting tired of Flash's unforgiving cross-domain policy. Why can't I
    
read an xml-feed, content produced by a php file or a simple text file
without Flash wagging that finger in my face saying "No, no, you can't, not
without that site allowing your site access in the crossdomain.xml".

But why on earth is that so? I mean, the same file can easily be read by
an ordinary browser!? What on earth could i concoct with my devious,
malignant Flash application with the same file?

And, I've also discovered that Flex is more forgiving. I can pull in
content from another domain without said crossdomain.xml by using a
HTTPService component.

I would greatly appreciate if anyone could shed some light on this. And,
if anyone can point out if I'm doing anything wrong here.

But please don't tell me to get my domain name into that other servers
cross-domain policy file. There are many situations where this is not
possible, and where it would still be legitimate to read content from that
site.

And, as I said before, the browser doesn't need that permission. Nor does
Flex, apparently.

Regards,

--
Johan Nyberg

Web Guide Partner

      
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

    



  

_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders