I must be missing something, but I'm a bit confused as to the design of the Flash Security Model and crossdomain.xml.
My main question is who is this model intended to protect? As I undestand it, this protects third party servers from disclosing their "data" to flash clients. That is, if you do not have a cross domain file on a third party server, a flash program cannot access the data. But, any other program (e.g. ,a web browser, socket program, etc) could easily access this data. It's up to the client to recuse itself (and only flash clients recuse themselves). It would seem for a server to protect itself, it would have to enforce the protection, not the client. My expectation was that this was more like a Java sandbox which prevented a program from accessing other sites for the protection of the client, not the server. In such a scheme one might expect the crossdomain.xml file to be controlled by the server which served the flash application (not the 3rd party server) ... a chain of trust. If it's controlled by the 3rd party, then there's not a huge amount of protection. So I can't see any benefit of letting the thrid party server be in control of this file. If the crossdmain.xml file is to protect the server, then it misses the case where non-flash clients can access the server. If it is to protect the client from a malicious thrid party, the third party can simply add a crossdomain.xml file to their site. Perhaps this is to avoid DOS'ing a third party site from a flash app, but attempting to grab the crossdomain.xml file could be a form of attack (although arguably less intensive). So what am I missing here? Perhaps there are use cases that I don't see that this model affords protection either to the client or the server. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
