If Flash becomes a real application platform, then this reasoning is bogus because the data will already be accessible by Flash.
It's also pretty silly... how are you going to snoop around on a LAN? Where are the URLs going to come from? I suppose if it was some kind of targeted espionage you'd be able to do something useful, but that's pretty far fetched. I also wonder if a relatively default IIS or Apache configuration could be coerced into echoing a valid XML document off of information in the URL... then you could use loadPolicyFile to fake a crossdomain.xml. Either way, it's totally dumb that you can't load SWFs and JPGs. Given the LAN-snooping argument, where is the threat for loadMovie? For that matter, what about loadVariables? XML.load? XMLSocket (with > 1024 ports, anyway)? If merely GETing a URL is harmful, then you can already do that damage with loadPolicyFile in the first place! -bob On Jan 31, 2006, at 10:15 AM, Mike Chambers wrote: > It has nothing to do with selling server licenses. It is so when you > run the Flash player in a browser inside your Firewall, that content > doesnt snoop the servers inside your firewall, and send the data > outside. > > Here is a good write up on it: > > http://www.martijndevisser.com/blog/article/why-crossdomainxml-is-a- > good-thing > > mike chambers > > [EMAIL PROTECTED] > > On Jan 31, 2006, at 3:20 AM, Aral Balkan wrote: > >> Hi Alias, >> >> I've never fully understood the need for the crossdomain policy >> file. I >> think it was Sho who tried to explain it to me in a very technical >> manner but either I'm really thick (definite possibility) or I just >> don't get the value of something where you essentially need to >> disable >> the security via a crossdomain.xml file to get something like web >> services to work without the need of a proxy. It seems to me to be a >> artificial restriction aimed at selling more server licenses. It >> also is >> a major handicap for Flash when compared to Java and rules out the >> creation of a whole host of applications in Flash (like a POP3/IMAP >> email reader that can check email from any domain.) "Sure it'll work, >> just ask your ISP to put a crossdomain.xml file in their root... >> Ummm, >> what?" >> >> All that said, I'm personally worried about the impact of several, >> incompatible, Flash player implementations and how that will affect >> the >> reputation of the Flash Platform. Currently, Flash is pretty much a >> write-once, run-anywhere platform and that's one of its (if not its >> greatest) unique selling point. (Maintaining state on the client was >> too, but "AJAX" apps can do that too now.) I'm worried that competing >> players will confuse developers and users alike. I'm even worried >> about >> the increasing rate of change in the release of Macromedia Players, >> especially the pre-release ones (8, followed a few months later by >> alpha >> 8.5, beta 8.5?, 8.5?, etc.) I believe that *stability* in the >> player is >> very important. >> >> Aral >> >> _______________________________________________ >> osflash mailing list >> osflash@osflash.org >> http://osflash.org/mailman/listinfo/osflash_osflash.org > > > _______________________________________________ > osflash mailing list > osflash@osflash.org > http://osflash.org/mailman/listinfo/osflash_osflash.org _______________________________________________ osflash mailing list osflash@osflash.org http://osflash.org/mailman/listinfo/osflash_osflash.org
