RE: [flexcoders] Re: Flex 2: about "potential" HTTPService timeout/security issues ...

[Roger Gonzalez]

You have the purpose backwards.  (There's an 
entirely different mechanism for what trust you want to grant to a particular 
SWF.)
 
The point is for a server owner to prevent you from 
distributing a SWF that can act as a distributed denial-of-service 
attack on a server.
 
Consider the case of some web forum that lets you upload a 
SWF as an image.  Every person who visits the page runs that SWF.  It 
would thus be bad if the SWF was allowed to connect to some site that the SWF 
author wanted to crash.
 
Dig it?
 
-rg
 
 



From: 
flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of 
dos dedosSent: Monday, March 27, 2006 7:58 PMTo: 
flexcoders@yahoogroups.comSubject: RE: [flexcoders] Re: Flex 2: about 
"potential" HTTPService timeout/security issues ...

  (I'm still in complaining mode)ActiveX and Java used 
  applet signing to solve this ...Wouldn't it be better to "respect" the 
  end user's right to choose whether or not to trust a given Flash app to do 
  what it's suppose to do rather than to force the user to install crossdomain 
  on their machine or force teh sys admin (in case of LAN) to install cross 
  domain inside the LAN? How about some security through 
  democracy?How many times does the average person click OK on a signed 
  applet or ActiveX permission screen and end up regreting 
  it?dosTed Patrick 
  <[EMAIL PROTECTED]> wrote:
  1. 
    Delegate security to the server side on a domain/subdomain basis.2. 
    Enable high and low ports access. 3. Prevent Flash Player from being 
    used as "denial of service" toolset. Crossdomain.xml has really 
    improved things, it was a great addition to the player at the release of 
    Flash Player 7. I complained about it but eventually I saw the 
    light.Cheers,Cynergy Systems, Inc.Theodore 
    PatrickSr. Consultant[EMAIL PROTECTED]tel: 
    1.866.CYNERGYhttp://www.cynergysystems.com________________________________________From: 
    flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of 
    dos dedosSent: Monday, March 27, 2006 6:14 PMTo: 
    flexcoders@yahoogroups.comSubject: RE: [flexcoders] Re: Flex 2: about 
    "potential" HTTPService timeout/security issues ...thanks! 
    bwt, does anyone know what is the security scenario that promoted 
    the introduction of the crossdomain requirement? it would be educating to 
    know Carson Hager <[EMAIL PROTECTED]> 
    wrote:You will need a crossdomain file.��-- No 
    virus found in this outgoing message.Checked by AVG Free 
    Edition.Version: 7.1.385 / Virus Database: 268.3.2/293 - Release Date: 
    3/26/2006
  
  
  Blab-away for as little as 1¢/min. Make PC-to-Phone 
  Calls using Yahoo! Messenger with Voice. 





--
Flexcoders Mailing List
FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt
Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.com





  




  
  
  YAHOO! GROUPS LINKS



   Visit your group "flexcoders" on the web. 
   To unsubscribe from this group, send an email to: [EMAIL PROTECTED] 
   Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.