So, here's my crossdomain.xml in its final form:
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only" />
<allow-http-request-headers-from domain="www.mydomain.com" headers="*"
secure="false"/>
<allow-access-from domain="www.mydomain.com" secure="false" />
</cross-domain-policy>
This allows all the stuff on the SecureColdFusion channel I created to work
just fine, as long as I access the site from "mydomain.com" and not from
"localhost" or "myserver01" (its NetBIOS name).
Even if I put <allow-access-from domain="localhost"/> (or
domain="myserver01"/>) in there, it still won't allow access from localhost (or
myserver01), because the security certificate is issued to mydomain.com -- the
names don't match, so the browser/Flash/CF rejects it. (I don't know exactly
which one is rejecting it, but somewhere along the line it's being rejected
because of the name-mismatch.)
The only way that I can see to change that behavior is to create two more
virtual websites that point to the same location, and give each of those
virtual sites their own certificate (one assigned to "myserver01" and one
assigned to "localhost". Otherwise, I can't access the app on my local server
if the Internet goes down. Yuck. (If anyone knows a better way, I'm all ears.)
The one thing that still bothers me about this setup is the 'secure="false"'
tags. I cannot get a straight answer as to exactly what this does to my
security. It enables http .SWFs to access https data, sure. But does that
mean it's disabling all https when it does that? Or does it mean that it is
secure during transit over the Internet, but not when it's being held in the
Flex app? Or does it mean something entirely different? There is no site that
has a direct answer to this -- they all just say "it's not recommended due to
security issues," or something along those lines. But they don't specify WHAT
security issues there are. I need to know -- I can't serve my entire app over
an https connection because it'll be too slow, but I must have secure access to
some of the data...
So if anyone can answer the 'secure="false"' question specifically, I would be
very grateful.
Thanks,
L.
