Brian wrote:
> I have a flash app that accesses .xml files.
> The source is viewable and some creative crackers have figured out how to
> meld a url together to get vital information from those .xml's.

Well, dont put vital information there :-)

> I need to prevent the web client from directly accessing them.
> Is there a directive (such as Apache's) or mechnisim to keep web clients
> from accessing yet allow my app access these files?

Your flash app is a web client too and thus indistinguishable
from any other web client.

> Somthing like
> <FilesMatch \.(?i:gif|jpe?g|xml)$>
>    Order allow,deny
>    Allow from <some file name>
                ^^^^ what exactly would you want to
                put into this hypothetical statement? :-)

>    Deny from all
>    <some other web trick>
> </FilesMatch>
> in zope.conf or ???

No. Just dont send something over the web to any client
what you dont want to send to people. Everything you send
can and will be read no matter whats the intended client
is. SSL nor custom auth will prevent people from reading
it. (see tcpflow and openssl client)

Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to