I wouldn't worry about point 2). The only real reason for crossdomains (as I understand, at least) is solving this potential security hole:
Let's suppose you're in a LAN that has access to some intranet; or to some servers that you have access to because you're in this LAN, but are not accessible from the internet, anyway. So, you can point your broswer to http://www.somesite.com (internet) and http://myprivate.intranet (LAN access only) and you will reach both. On the other hand, outside that LAN, you could only reach somesite.com but not myprivate.intranet. Since flash runs client side, if there were no crossdomain policy, the swf you downloaded from www.somesite.com would have access to myprivate.intranet. It could read data from it and send it back to www.somesite.com (or somewhere else). This opens a pontential security hole, especially for corporate intranets. To prevent this, a host must grant access explicitly. With the crossdomain files it states that it's ok for swfs downloaded from certain domains to communicate with it. So, the only potential problem here would be in your hosting provider's LAN, as I see it. Cheers Juan Pablo Califano ---------- Forwarded message ---------- From: Steven Loe <[email protected]> Date: 2010/1/13 Subject: [Flashcoders] Crossdomain.xml, shared hosting, https, oh my! To: Flashcoders mailing list <[email protected]> Adobe's documentation on this is not crystal clear (to me anyway). Hoping that someone who's been down this road can point me in the right direction. My app is hosted on a shared host (webFaction). The swfs are loaded over http. The users credit card data is transmitted over https. All works fine in the flash IDE. However, with the app running in a browser I get: 2048: Security sandbox violation: http://example.com/media/swf/game.swfcannot load data from https://example.com/secure/game/direct_payment. WebFaction serves a global crossdomain.xml file for all it's customers. I don't have a way to change the policy file at server root. Here's their file: <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE cross-domain-policy SYSTEM 'http://www.adobe.com/xml/dtds/cross-domain-policy.dtd'> <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy> Questions: 1. Given the server configuration, how can I get around the security sandbox error when I make a https call? 2. How bad (or not) is the resulting security created by the <allow-access-from domain="*"/> Thanks very much _______________________________________________ Flashcoders mailing list [email protected] http://chattyfig.figleaf.com/mailman/listinfo/flashcoders _______________________________________________ Flashcoders mailing list [email protected] http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
