On Jan 7, 2006, at 8:39 PM, John Grden wrote: > Yeah, I have to agree. Xray or not, you still have to validate the > data coming from the client - whether you protect your methods/ > properties correctly or not. > > So, in saying that, locking down whether or not Xray exists in a > site at production seems reduced to this line of questions: > > 1. Are you talking to a server and transimitting data? If yes, > remove xray from the production files.
Why bother? It makes it slightly less convenient to see what's going on, but it's not impossible. If you're worried about that then you really need to spend more time with the server to make sure it's robust against tampering. > 2. If no, do you care if people look around your flash site with > Xray (though harmless to the site itself)? if yes, remove xray from > the production files. Again.. if the user wants to pick it apart, it's not that big of a deal. It's absolutely possible to develop a transparent proxy that injects Xray or anything else into every SWF that goes across the wire if one were so inclined. The technology to implement this is readily available -- and the developers on this list are largely to thank (or blame) ;) Hell, such a tool would actually be useful for developers. They wouldn't even need to bother inserting Xray in their projects anymore, and it would render this discussion completely irrelevant. My point is -- if you don't want a user to see something, don't ever send it to them! Otherwise, what's the harm in making it somewhat accessible? They could see it if they really wanted to anyway. -bob _______________________________________________ osflash mailing list [email protected] http://osflash.org/mailman/listinfo/osflash_osflash.org
