I know this is an old thread but you can't just browse to it - a browser only displays html, but that html comes from a server at some point - i.e. a proxy. The same goes for ajax. The reason that they don't post a crossdomain.xml is because that would make developers put their secret key inside the flex app which can easily be decompiled and compromised.
Still it would be nice to have a solution, without having to spin up your own servers. Baz On Mon, Jul 28, 2008 at 1:01 PM, George <george_sm...@tksoftware.com> wrote: > --- In flexcoders@yahoogroups.com <flexcoders%40yahoogroups.com>, > "nathanpdaniel" <ndan...@...> wrote: > > > > > In my experience, Flex Builder "Debug" swfs have the same are > > subject > > > to the same crossdomain access restrictions that production swfs > > have. > > > > > > I'm a bit suspicious of the claim that this is not the case. > > > > I think what is being said (if I'm understanding correctly) - running > > FB3 to load external XML (RSS, APIs, etc) - the security does not > > exist - crossdomain policy files are not required when running a SWF > > through FB3. However, when you deploy to "production", crossdomain > > policy files ARE required. > > That being said - I think the issue lies with - why when we run > > test in development no security is required, but then to run the same > > application from a "production" site (running the swf in anything > > other than FB3 test). I (or anyone) may develope a fully functional > > site in FB3, thinking every thing is "hunky dory", then move the SWF > > to production and "crash" - no crossdomain.xml file... then, as a > > developer I have to either 1) contact the publisher of the RSS, API, > > etc I'm trying to load, and ask them to kindly put up a > > crossdomain.xml policy file - which isn't likely to happen... or 2) > > Redevelop how my application loads data (no small thing). > > It kinda sucks I have to develop around an issue that doesn't exist > > in development but does in production. I understand the security > > concerns, but I think it's more on the side of - if I can do it in > > dev, why can't I do it in production? It'd be nice to at least be > > able to tell FB3 the app I'm developing will be loading from a site I > > have no control over which may or maynot have a crossdomain policy > > file... > > > > (ching, ching - my 2 cents)... > > > This is exactly right. I would take it a step further though. If I can > get to it with just a browser, then why is it that security is such > that I cannot get to it without a crossdomain.xml file that authorizes > it. Where is the security hole, if I can just browse to it with > Firefox, I.E, Safari, or Opera? > > >
