Ok, that's a solid argument, thanks for the link! The other one (preventing access to an internet public resource on a server located on a different domain), though, seems weak, since any "hacker wannabe" could use a server-side proxy (the most basic could be just one line of php) to access to other internet domains transparently.
Cheers Juan Pablo Califano 2009/3/31, Juan Delgado <zzzar...@gmail.com>: > > There was a very good explanation, but I cannot find it now. It goes > somehow like this: > > Flash applications in a browser run *behind* your firewall. When you > access a page using the browser, any Flash app could start making > petitions to the servers inside your network (not that difficult to > find or guess IP addresses) and without crossdomain.xml file you > wouldn't be able to stop those requests. > > With the current model, Flash apps (a malicious banner, for example) > cannot fetch content of those servers because most likely they don't > have a crossdomain.xml. Thus, secure by default. > > [Found it!] > > Check this out: > > > http://www.martijndevisser.com/blog/2005/why-crossdomainxml-is-a-good-thing/ > > Cheers, > > Juan > > On Tue, Mar 31, 2009 at 5:53 PM, Juan Pablo Califano > <califa010.flashcod...@gmail.com> wrote: > > I agree. > > > > I understand the need for some kind of restrictions to prevent XSS > attacks > > and such. > > > > Yet, the implementation strikes me as rather lame, since it doesn't > > cover very common and perfectly valid use cases (load an xml, an image, > > consume a webservice, etc; it's not always possible to place a > crossdomain > > file in a server you don't neccesarily control but to which you are > allowed > > to access since its resources are public). > > > > > > > > Cheers > > Juan Pablo Califano > > > > > > 2009/3/31, Glen Pike <g...@engineeredarts.co.uk>: > >> > >> I would agree with John too - If it's up there, it's public - I guess > >> that's the point. > >> > >> The crossdomain policy thing bugs me a great deal, especially when I > have > >> to implement the "response" in each program running on a port I want to > >> connect to. For "files": I know what file I want to load from > somewhere - > >> I programmed it into the Flash myself. So why do I have to jump through > >> hoops to get to it? For passive content - XML / Images / Movies, I > would > >> expect that if I know the URL of something I can load it. If that > server > >> wants to stop me, then it's upto that server. I get the point for > >> non-passive content with XSS, etc, but it seems that the policies are > way of > >> solving something that is an issue somewhere else that then makes it > >> extremely difficult for normal people - maybe I just don't get it > totally :) > >> > >> If a banner ad reads something on my server - so what? Sureley it's up > to > >> me as the sysadmin to make sure of the access control / permissions for > my > >> data, not Flash Player's to stick a big plaster (Band Aid) over security > >> holes left by my bad programming. > >> > >> Now which is your favourite editor :) > >> > >> Meinte van't Kruis wrote: > >> > >>> Still, I agree with John, on the XML part. If everybody and everything > can > >>> read an XML on a random server, why can't Flash, it doesn't make any > >>> sense. > >>> > >>> On Tue, Mar 31, 2009 at 5:33 PM, Muzak <p.ginnebe...@telenet.be> > wrote: > >>> > >>> > >>> > >>>> And, I've also discovered that Flex is more forgiving. I can pull in > >>>> > >>>> > >>>>> content from another domain without said crossdomain.xml by using a > >>>>> HTTPService component. > >>>>> > >>>>> > >>>>> > >>>> That's not correct. > >>>> Doesn't matter if it's Flex or Flash. It's the Flash Player that > enforces > >>>> security, not the tool that created the swf. > >>>> Different rules apply to different swf versions, so if Flex compiles > to > >>>> fp9 > >>>> and Flash CS4 compiles to fp10, you may see different results. > >>>> Even minor revisions may show different results (e.g. 9.0.45 vs > 9.0.124). > >>>> > >>>> But why on earth is that so? I mean, the same file can easily be read > by > >>>> > >>>> > >>>>> an ordinary browser!? What on earth could i concoct with my devious, > >>>>> malignant Flash application with the same file? > >>>>> > >>>>> > >>>>> > >>>> Well, it's not about what your intensions are, they may be all good, > >>>> but not everyone has those same good intensions :) > >>>> > >>>> Think about banner ads that are displayed *wherever*. > >>>> Do you really want those to be able to read/load/execute anything they > >>>> feel > >>>> like from your site/server? > >>>> > >>>> There's quite alot of info on the Adobe site regarding security: > >>>> http://www.adobe.com/devnet/flashplayer/security.html > >>>> http://www.adobe.com/devnet/security/ > >>>> http://www.adobe.com/products/flashplayer/security/ > >>>> > >>>> regards, > >>>> Muzak > >>>> > >>>> ----- Original Message ----- From: "Johan Nyberg" < > >>>> johan.nyb...@webguidepartner.com> > >>>> To: <flashcoders@chattyfig.figleaf.com> > >>>> Sent: Tuesday, March 31, 2009 2:17 PM > >>>> Subject: [Flashcoders] Cross-domain policy - why is Flex more > forgiving > >>>> thanFlash? > >>>> > >>>> > >>>> I'm getting tired of Flash's unforgiving cross-domain policy. Why > can't > >>>> I > >>>> > >>>> > >>>>> read an xml-feed, content produced by a php file or a simple text > file > >>>>> without Flash wagging that finger in my face saying "No, no, you > can't, > >>>>> not > >>>>> without that site allowing your site access in the crossdomain.xml". > >>>>> > >>>>> But why on earth is that so? I mean, the same file can easily be read > by > >>>>> an ordinary browser!? What on earth could i concoct with my devious, > >>>>> malignant Flash application with the same file? > >>>>> > >>>>> And, I've also discovered that Flex is more forgiving. I can pull in > >>>>> content from another domain without said crossdomain.xml by using a > >>>>> HTTPService component. > >>>>> > >>>>> I would greatly appreciate if anyone could shed some light on this. > And, > >>>>> if anyone can point out if I'm doing anything wrong here. > >>>>> > >>>>> But please don't tell me to get my domain name into that other > servers > >>>>> cross-domain policy file. There are many situations where this is not > >>>>> possible, and where it would still be legitimate to read content from > >>>>> that > >>>>> site. > >>>>> > >>>>> And, as I said before, the browser doesn't need that permission. Nor > >>>>> does > >>>>> Flex, apparently. > >>>>> > >>>>> Regards, > >>>>> > >>>>> -- > >>>>> Johan Nyberg > >>>>> > >>>>> Web Guide Partner > >>>>> > >>>>> > >>>>> > >>>> _______________________________________________ > >>>> Flashcoders mailing list > >>>> Flashcoders@chattyfig.figleaf.com > >>>> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders > >>>> > >>>> > >>>> > >>> > >>> > >>> > >>> > >>> > >> > >> _______________________________________________ > >> Flashcoders mailing list > >> Flashcoders@chattyfig.figleaf.com > >> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders > >> > > _______________________________________________ > > Flashcoders mailing list > > Flashcoders@chattyfig.figleaf.com > > http://chattyfig.figleaf.com/mailman/listinfo/flashcoders > > > > > > -- > Juan Delgado - Zárate > http://zarate.tv > http://blog.zarate.tv > > _______________________________________________ > Flashcoders mailing list > Flashcoders@chattyfig.figleaf.com > http://chattyfig.figleaf.com/mailman/listinfo/flashcoders > _______________________________________________ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders