On Jan 31, 2006, at 5:00 AM, Nicolas Désy wrote:
>> I've never fully understood the need for the crossdomain policy
>> file. I
>> think it was Sho who tried to explain it to me in a very technical
>> manner but either I'm really thick (definite possibility) or I just
>> don't get the value of something where you essentially need to
>> disable
>> the security via a crossdomain.xml file to get something like web
>> services to work without the need of a proxy.
>
> One of the needs is to prevent malicious developers to use the
> Flash Player
> to do DoS attack (http://en.wikipedia.org/wiki/Denial-of-
> service_attack) on
> a server. For exemple, I put an SWF on a big portal, when the SWF is
> loaded, he does 1000 request on osflash.org. So every visitor of
> the portal
> will flood the osflash.org server without knowing it. And we can't
> stop
> anything like this except with a strong security model. Yes,
> you're right,
> we can flood the server anyway with any other tools, but the Flash
> Player
> would have a bad reputation if it was possible.
Easily done with HTTP requests via JavaScript, but nobody does..
while (true) {
(new Image()).src = 'http://example.com/' + (new Date()).getTime();
}
I've never found any good reason for crossdomain.xml. It seems to be
a half-assed solution for a problem that wouldn't have existed in the
first place. Even if building a compatible player, I don't see any
reason to bother with it... it doesn't break any content that
currently works.
-bob
_______________________________________________
osflash mailing list
osflash@osflash.org
http://osflash.org/mailman/listinfo/osflash_osflash.org
