>From the Adobe Help files:
======================================================================
Each <allow-access-from> tag also has the optional secure attribute, which
defaults to true. You can set the attribute to false if your policy file is on
an HTTPS server, and you want to allow SWF files on a non-HTTPS server to load
data from the HTTPS server.
Setting the secure attribute to false could compromise the security offered by
HTTPS. In particular, setting this attribute to false opens secure content to
snooping and spoofing attacks. Adobe strongly recommends that you not set the
secure attribute to false.
If data to be loaded is on a HTTPS server, but the SWF file loading it is on an
HTTP server, Adobe recommends that you move the loading SWF file to an HTTPS
server so that you can keep all copies of your secure data under the protection
of HTTPS.
======================================================================
If I needed secure access, I would move everything over to https.
The only other thing I could suggest is to use encryption. Check out AS3Crypto
(http://code.google.com/p/as3crypto/). Of course, if you serve the SWF over
HTTP, someone could analyze the SWF and find the encryption key. Again, for
security reasons, I would move everything over to https.
--- In [email protected], "Laurence" <lmacne...@...> wrote:
>
> So, here's my crossdomain.xml in its final form:
>
> <cross-domain-policy>
> <site-control permitted-cross-domain-policies="master-only" />
>
> <allow-http-request-headers-from domain="www.mydomain.com" headers="*"
> secure="false"/>
> <allow-access-from domain="www.mydomain.com" secure="false" />
>
> </cross-domain-policy>
>
> This allows all the stuff on the SecureColdFusion channel I created to work
> just fine, as long as I access the site from "mydomain.com" and not from
> "localhost" or "myserver01" (its NetBIOS name).
>
> Even if I put <allow-access-from domain="localhost"/> (or
> domain="myserver01"/>) in there, it still won't allow access from localhost
> (or myserver01), because the security certificate is issued to mydomain.com
> -- the names don't match, so the browser/Flash/CF rejects it. (I don't know
> exactly which one is rejecting it, but somewhere along the line it's being
> rejected because of the name-mismatch.)
>
> The only way that I can see to change that behavior is to create two more
> virtual websites that point to the same location, and give each of those
> virtual sites their own certificate (one assigned to "myserver01" and one
> assigned to "localhost". Otherwise, I can't access the app on my local
> server if the Internet goes down. Yuck. (If anyone knows a better way, I'm
> all ears.)
>
> The one thing that still bothers me about this setup is the 'secure="false"'
> tags. I cannot get a straight answer as to exactly what this does to my
> security. It enables http .SWFs to access https data, sure. But does that
> mean it's disabling all https when it does that? Or does it mean that it is
> secure during transit over the Internet, but not when it's being held in the
> Flex app? Or does it mean something entirely different? There is no site
> that has a direct answer to this -- they all just say "it's not recommended
> due to security issues," or something along those lines. But they don't
> specify WHAT security issues there are. I need to know -- I can't serve my
> entire app over an https connection because it'll be too slow, but I must
> have secure access to some of the data...
>
> So if anyone can answer the 'secure="false"' question specifically, I would
> be very grateful.
>
> Thanks,
> L.
>
