I agree. I understand the need for some kind of restrictions to prevent XSS attacks and such.
Yet, the implementation strikes me as rather lame, since it doesn't cover very common and perfectly valid use cases (load an xml, an image, consume a webservice, etc; it's not always possible to place a crossdomain file in a server you don't neccesarily control but to which you are allowed to access since its resources are public). Cheers Juan Pablo Califano 2009/3/31, Glen Pike <[email protected]>: > > I would agree with John too - If it's up there, it's public - I guess > that's the point. > > The crossdomain policy thing bugs me a great deal, especially when I have > to implement the "response" in each program running on a port I want to > connect to. For "files": I know what file I want to load from somewhere - > I programmed it into the Flash myself. So why do I have to jump through > hoops to get to it? For passive content - XML / Images / Movies, I would > expect that if I know the URL of something I can load it. If that server > wants to stop me, then it's upto that server. I get the point for > non-passive content with XSS, etc, but it seems that the policies are way of > solving something that is an issue somewhere else that then makes it > extremely difficult for normal people - maybe I just don't get it totally :) > > If a banner ad reads something on my server - so what? Sureley it's up to > me as the sysadmin to make sure of the access control / permissions for my > data, not Flash Player's to stick a big plaster (Band Aid) over security > holes left by my bad programming. > > Now which is your favourite editor :) > > Meinte van't Kruis wrote: > >> Still, I agree with John, on the XML part. If everybody and everything can >> read an XML on a random server, why can't Flash, it doesn't make any >> sense. >> >> On Tue, Mar 31, 2009 at 5:33 PM, Muzak <[email protected]> wrote: >> >> >> >>> And, I've also discovered that Flex is more forgiving. I can pull in >>> >>> >>>> content from another domain without said crossdomain.xml by using a >>>> HTTPService component. >>>> >>>> >>>> >>> That's not correct. >>> Doesn't matter if it's Flex or Flash. It's the Flash Player that enforces >>> security, not the tool that created the swf. >>> Different rules apply to different swf versions, so if Flex compiles to >>> fp9 >>> and Flash CS4 compiles to fp10, you may see different results. >>> Even minor revisions may show different results (e.g. 9.0.45 vs 9.0.124). >>> >>> But why on earth is that so? I mean, the same file can easily be read by >>> >>> >>>> an ordinary browser!? What on earth could i concoct with my devious, >>>> malignant Flash application with the same file? >>>> >>>> >>>> >>> Well, it's not about what your intensions are, they may be all good, >>> but not everyone has those same good intensions :) >>> >>> Think about banner ads that are displayed *wherever*. >>> Do you really want those to be able to read/load/execute anything they >>> feel >>> like from your site/server? >>> >>> There's quite alot of info on the Adobe site regarding security: >>> http://www.adobe.com/devnet/flashplayer/security.html >>> http://www.adobe.com/devnet/security/ >>> http://www.adobe.com/products/flashplayer/security/ >>> >>> regards, >>> Muzak >>> >>> ----- Original Message ----- From: "Johan Nyberg" < >>> [email protected]> >>> To: <[email protected]> >>> Sent: Tuesday, March 31, 2009 2:17 PM >>> Subject: [Flashcoders] Cross-domain policy - why is Flex more forgiving >>> thanFlash? >>> >>> >>> I'm getting tired of Flash's unforgiving cross-domain policy. Why can't >>> I >>> >>> >>>> read an xml-feed, content produced by a php file or a simple text file >>>> without Flash wagging that finger in my face saying "No, no, you can't, >>>> not >>>> without that site allowing your site access in the crossdomain.xml". >>>> >>>> But why on earth is that so? I mean, the same file can easily be read by >>>> an ordinary browser!? What on earth could i concoct with my devious, >>>> malignant Flash application with the same file? >>>> >>>> And, I've also discovered that Flex is more forgiving. I can pull in >>>> content from another domain without said crossdomain.xml by using a >>>> HTTPService component. >>>> >>>> I would greatly appreciate if anyone could shed some light on this. And, >>>> if anyone can point out if I'm doing anything wrong here. >>>> >>>> But please don't tell me to get my domain name into that other servers >>>> cross-domain policy file. There are many situations where this is not >>>> possible, and where it would still be legitimate to read content from >>>> that >>>> site. >>>> >>>> And, as I said before, the browser doesn't need that permission. Nor >>>> does >>>> Flex, apparently. >>>> >>>> Regards, >>>> >>>> -- >>>> Johan Nyberg >>>> >>>> Web Guide Partner >>>> >>>> >>>> >>> _______________________________________________ >>> Flashcoders mailing list >>> [email protected] >>> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders >>> >>> >>> >> >> >> >> >> > > _______________________________________________ > Flashcoders mailing list > [email protected] > http://chattyfig.figleaf.com/mailman/listinfo/flashcoders > _______________________________________________ Flashcoders mailing list [email protected] http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
