Re: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my!

Wed, 13 Jan 2010 14:22:08 -0800 

Hi,
I would suggest a workaround is to serve the swf from a secure url too - that would reassure browsers that their details are secure - not many people will check the status bar, they tend to look for the padlock or the address bar - if that's got an https in, then they will be happy, you are only stuffed if port 443 points to a different webserver, in which case, I would change hosting providers for something more useful. 


   The cross-domain policy to serve https to http flash files needs to 
have the secure attribute set to false:


<allow-access-from domain="www.company.com" secure="false" />



   I am not sure about the ramifications of having * for the 
cross-domain - it's not the end of the world, but there are some more 
articles on the devnet if you need:



   
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_05.html


   HTH

   Glen


  


Steven Loe wrote:

Adobe's documentation on this is not crystal clear (to me anyway). Hoping that 
someone who's been down this road can point me in the right direction.

My app is hosted on a shared host (webFaction). The swfs are loaded over http. 
The users credit card data is transmitted over https. All works fine in  the 
flash IDE. However, with the app running in a browser I get:

2048: Security sandbox violation: http://example.com/media/swf/game.swf cannot 
load data from https://example.com/secure/game/direct_payment.

WebFaction serves a global crossdomain.xml file for all it's customers. I don't 
have a way to change the policy file at server root. Here's their file:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE cross-domain-policy
  SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'>
<cross-domain-policy>
        <allow-access-from domain="*"/>
</cross-domain-policy>

Questions:
1. Given the server configuration, how can I get around the security sandbox 
error when I make a https call?

2. How bad (or not) is the resulting security created by the <allow-access-from domain="*"/> 


Thanks very much
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders


  


--

Glen Pike
01326 218440
www.glenpike.co.uk <http://www.glenpike.co.uk>

_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders






















					Reply via email to