Paul Neave wrote:
The weird thing is that you can load an image from any server without the need for a crossdomain policy file, but you can't use BitmapData.draw() unless you have a policy file. Also, you can load an mp3 from any other server but you can't access the mp3's id3 information without a policy file on the other server.
I don't have background on those potential exploits yet myself, but would suspect that it's the entire access to bitmap data from foreign sources which is blocked off, rather than just specific methods within that class, to minimize leaks across versions as methods change. If the foreign data acknowledges you (via a policy declaration on their server), or if your own server proxies that data yourself, then the ability to get inside that bitmap data is available.
Why types of exploits are possible? I don't have a full list, but I've heard of CAPTCHA defeats in the past, and the rewriting of message boxes, things like that... those are the types of exploits which prevent free manipulation of foreign, unwilling media data. I've put an item in my schedule to ask the security folks next week if there are any updates in this area, better info.
jd -- John Dowdell . Adobe Developer Support . San Francisco CA USA Weblog: http://weblogs.macromedia.com/jd Aggregator: http://weblogs.macromedia.com/mxna Technotes: http://www.macromedia.com/support/ Spam killed my private email -- public record is best, thanks. _______________________________________________ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
