You can load SWF's and JPEG's, you just can't call methods and check properties on the SWF because it's created in another security sandbox away from your code. It's the data that doesn't work.
It's not far fetched either, you're just a nice guy; you forget there are evil assholes out there hellbent on furthering Entropy. ----- Original Message ----- From: "Bob Ippolito" <[EMAIL PROTECTED]> To: "Open Source Flash Mailing List" <osflash@osflash.org> Sent: Tuesday, January 31, 2006 1:54 PM Subject: Re: [osflash] [Slightly OT] Gnash & the security model If Flash becomes a real application platform, then this reasoning is bogus because the data will already be accessible by Flash. It's also pretty silly... how are you going to snoop around on a LAN? Where are the URLs going to come from? I suppose if it was some kind of targeted espionage you'd be able to do something useful, but that's pretty far fetched. I also wonder if a relatively default IIS or Apache configuration could be coerced into echoing a valid XML document off of information in the URL... then you could use loadPolicyFile to fake a crossdomain.xml. Either way, it's totally dumb that you can't load SWFs and JPGs. Given the LAN-snooping argument, where is the threat for loadMovie? For that matter, what about loadVariables? XML.load? XMLSocket (with > 1024 ports, anyway)? If merely GETing a URL is harmful, then you can already do that damage with loadPolicyFile in the first place! -bob On Jan 31, 2006, at 10:15 AM, Mike Chambers wrote: > It has nothing to do with selling server licenses. It is so when you > run the Flash player in a browser inside your Firewall, that content > doesnt snoop the servers inside your firewall, and send the data > outside. > > Here is a good write up on it: > > http://www.martijndevisser.com/blog/article/why-crossdomainxml-is-a- > good-thing > > mike chambers > > [EMAIL PROTECTED] > > On Jan 31, 2006, at 3:20 AM, Aral Balkan wrote: > >> Hi Alias, >> >> I've never fully understood the need for the crossdomain policy >> file. I >> think it was Sho who tried to explain it to me in a very technical >> manner but either I'm really thick (definite possibility) or I just >> don't get the value of something where you essentially need to >> disable >> the security via a crossdomain.xml file to get something like web >> services to work without the need of a proxy. It seems to me to be a >> artificial restriction aimed at selling more server licenses. It >> also is >> a major handicap for Flash when compared to Java and rules out the >> creation of a whole host of applications in Flash (like a POP3/IMAP >> email reader that can check email from any domain.) "Sure it'll work, >> just ask your ISP to put a crossdomain.xml file in their root... >> Ummm, >> what?" >> >> All that said, I'm personally worried about the impact of several, >> incompatible, Flash player implementations and how that will affect >> the >> reputation of the Flash Platform. Currently, Flash is pretty much a >> write-once, run-anywhere platform and that's one of its (if not its >> greatest) unique selling point. (Maintaining state on the client was >> too, but "AJAX" apps can do that too now.) I'm worried that competing >> players will confuse developers and users alike. I'm even worried >> about >> the increasing rate of change in the release of Macromedia Players, >> especially the pre-release ones (8, followed a few months later by >> alpha >> 8.5, beta 8.5?, 8.5?, etc.) I believe that *stability* in the >> player is >> very important. >> >> Aral >> >> _______________________________________________ >> osflash mailing list >> osflash@osflash.org >> http://osflash.org/mailman/listinfo/osflash_osflash.org > > > _______________________________________________ > osflash mailing list > osflash@osflash.org > http://osflash.org/mailman/listinfo/osflash_osflash.org _______________________________________________ osflash mailing list osflash@osflash.org http://osflash.org/mailman/listinfo/osflash_osflash.org _______________________________________________ osflash mailing list osflash@osflash.org http://osflash.org/mailman/listinfo/osflash_osflash.org
