Re: [flexcoders] Re: RSS Feeds
I happen to have done a really cool picture browser that took the pics and data from picasa googles website RSS data, when i completely finished it, DANG, stops working on my server cause of security reasons. 1st i agree it should not work on local as well, i threw months of work!!! :O 2nd, i cannot read an RSS cause of security reasons?? wait...RSS were not intended for being used in our apps? those RSS icons there, are not there for us to work with them??? Finally, if i ever have to get data from outside, and i'm considering doing a RSS reader, and other stuff...i will just get the data to flash though a small PHP script. but that security thing really sucks...(T__T) En/na Baz ha escrit: I know this is an old thread but you can't just browse to it - a browser only displays html, but that html comes from a server at some point - i.e. a proxy. The same goes for ajax. The reason that they don't post a crossdomain.xml is because that would make developers put their secret key inside the flex app which can easily be decompiled and compromised. Still it would be nice to have a solution, without having to spin up your own servers. Baz On Mon, Jul 28, 2008 at 1:01 PM, George george_sm...@tksoftware.com mailto:george_sm...@tksoftware.com wrote: --- In flexcoders@yahoogroups.com mailto:flexcoders%40yahoogroups.com, nathanpdaniel ndan...@... wrote: In my experience, Flex Builder Debug swfs have the same are subject to the same crossdomain access restrictions that production swfs have. I'm a bit suspicious of the claim that this is not the case. I think what is being said (if I'm understanding correctly) - running FB3 to load external XML (RSS, APIs, etc) - the security does not exist - crossdomain policy files are not required when running a SWF through FB3. However, when you deploy to production, crossdomain policy files ARE required. That being said - I think the issue lies with - why when we run test in development no security is required, but then to run the same application from a production site (running the swf in anything other than FB3 test). I (or anyone) may develope a fully functional site in FB3, thinking every thing is hunky dory, then move the SWF to production and crash - no crossdomain.xml file... then, as a developer I have to either 1) contact the publisher of the RSS, API, etc I'm trying to load, and ask them to kindly put up a crossdomain.xml policy file - which isn't likely to happen... or 2) Redevelop how my application loads data (no small thing). It kinda sucks I have to develop around an issue that doesn't exist in development but does in production. I understand the security concerns, but I think it's more on the side of - if I can do it in dev, why can't I do it in production? It'd be nice to at least be able to tell FB3 the app I'm developing will be loading from a site I have no control over which may or maynot have a crossdomain policy file... (ching, ching - my 2 cents)... This is exactly right. I would take it a step further though. If I can get to it with just a browser, then why is it that security is such that I cannot get to it without a crossdomain.xml file that authorizes it. Where is the security hole, if I can just browse to it with Firefox, I.E, Safari, or Opera?
Re: [flexcoders] Re: RSS Feeds
I know this is an old thread but you can't just browse to it - a browser only displays html, but that html comes from a server at some point - i.e. a proxy. The same goes for ajax. The reason that they don't post a crossdomain.xml is because that would make developers put their secret key inside the flex app which can easily be decompiled and compromised. Still it would be nice to have a solution, without having to spin up your own servers. Baz On Mon, Jul 28, 2008 at 1:01 PM, George george_sm...@tksoftware.com wrote: --- In flexcoders@yahoogroups.com flexcoders%40yahoogroups.com, nathanpdaniel ndan...@... wrote: In my experience, Flex Builder Debug swfs have the same are subject to the same crossdomain access restrictions that production swfs have. I'm a bit suspicious of the claim that this is not the case. I think what is being said (if I'm understanding correctly) - running FB3 to load external XML (RSS, APIs, etc) - the security does not exist - crossdomain policy files are not required when running a SWF through FB3. However, when you deploy to production, crossdomain policy files ARE required. That being said - I think the issue lies with - why when we run test in development no security is required, but then to run the same application from a production site (running the swf in anything other than FB3 test). I (or anyone) may develope a fully functional site in FB3, thinking every thing is hunky dory, then move the SWF to production and crash - no crossdomain.xml file... then, as a developer I have to either 1) contact the publisher of the RSS, API, etc I'm trying to load, and ask them to kindly put up a crossdomain.xml policy file - which isn't likely to happen... or 2) Redevelop how my application loads data (no small thing). It kinda sucks I have to develop around an issue that doesn't exist in development but does in production. I understand the security concerns, but I think it's more on the side of - if I can do it in dev, why can't I do it in production? It'd be nice to at least be able to tell FB3 the app I'm developing will be loading from a site I have no control over which may or maynot have a crossdomain policy file... (ching, ching - my 2 cents)... This is exactly right. I would take it a step further though. If I can get to it with just a browser, then why is it that security is such that I cannot get to it without a crossdomain.xml file that authorizes it. Where is the security hole, if I can just browse to it with Firefox, I.E, Safari, or Opera?
[flexcoders] Re: RSS Feeds
--- In flexcoders@yahoogroups.com, Anirudh Sasikumar [EMAIL PROTECTED] wrote: Hi, During development, Flex Builder automatically gets the flash player to trust your swf so that you won't encounter this issue. Yahoo's crossdomain.xml allows access to content if the app is hosted on *.yahoo.com. (Eg: news.yahoo.com, etc.). It's not wildcard access that lets anyone access their data. Your app would have to be deployed on a subdomain of yahoo.com. Cheers, -- Anirudh Sasikumar http://anirudhs.chaosnet.org/ So, what you are saying is that it is not possible to take the rss feeds from Yahoo directly into a Flex app? The ONLY way is to go through a proxy? So, a browser can do it, but a Flex/Flash app cannot? If this is the case, Adobe needs to re-think this security architecture. Also, if you are correct, which I believe that you are, they need to correct the development environment, so that you cannot do things in development, that you will not be able to do in production. If I have to go through a proxy when I deploy, I should have to go through a proxy when I develop.
Re: [flexcoders] Re: RSS Feeds
In my experience, Flex Builder Debug swfs have the same are subject to the same crossdomain access restrictions that production swfs have. I'm a bit suspicious of the claim that this is not the case. Without seeing code, I wouldn't be able to judge if there was something else going on, or not. George wrote: --- In flexcoders@yahoogroups.com, Anirudh Sasikumar [EMAIL PROTECTED] wrote: Hi, During development, Flex Builder automatically gets the flash player to trust your swf so that you won't encounter this issue. Yahoo's crossdomain.xml allows access to content if the app is hosted on *.yahoo.com. (Eg: news.yahoo.com, etc.). It's not wildcard access that lets anyone access their data. Your app would have to be deployed on a subdomain of yahoo.com. Cheers, -- Anirudh Sasikumar http://anirudhs.chaosnet.org/ So, what you are saying is that it is not possible to take the rss feeds from Yahoo directly into a Flex app? The ONLY way is to go through a proxy? So, a browser can do it, but a Flex/Flash app cannot? If this is the case, Adobe needs to re-think this security architecture. Also, if you are correct, which I believe that you are, they need to correct the development environment, so that you cannot do things in development, that you will not be able to do in production. If I have to go through a proxy when I deploy, I should have to go through a proxy when I develop. -- Flexcoders Mailing List FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt Search Archives: http://www.mail-archive.com/flexcoders%40yahoogroups.comYahoo! Groups Links -- Jeffry Houser Flex, ColdFusion, AIR AIM: Reboog711 | Phone: 1-203-379-0773 -- Adobe Community Expert http://www.adobe.com/communities/experts/members/JeffryHouser.html My Company: http://www.dot-com-it.com My Podcast: http://www.theflexshow.com My Blog: http://www.jeffryhouser.com
[flexcoders] Re: RSS Feeds
In my experience, Flex Builder Debug swfs have the same are subject to the same crossdomain access restrictions that production swfs have. I'm a bit suspicious of the claim that this is not the case. I think what is being said (if I'm understanding correctly) - running FB3 to load external XML (RSS, APIs, etc) - the security does not exist - crossdomain policy files are not required when running a SWF through FB3. However, when you deploy to production, crossdomain policy files ARE required. That being said - I think the issue lies with - why when we run test in development no security is required, but then to run the same application from a production site (running the swf in anything other than FB3 test). I (or anyone) may develope a fully functional site in FB3, thinking every thing is hunky dory, then move the SWF to production and crash - no crossdomain.xml file... then, as a developer I have to either 1) contact the publisher of the RSS, API, etc I'm trying to load, and ask them to kindly put up a crossdomain.xml policy file - which isn't likely to happen... or 2) Redevelop how my application loads data (no small thing). It kinda sucks I have to develop around an issue that doesn't exist in development but does in production. I understand the security concerns, but I think it's more on the side of - if I can do it in dev, why can't I do it in production? It'd be nice to at least be able to tell FB3 the app I'm developing will be loading from a site I have no control over which may or maynot have a crossdomain policy file... (ching, ching - my 2 cents)...
[flexcoders] Re: RSS Feeds
--- In flexcoders@yahoogroups.com, nathanpdaniel [EMAIL PROTECTED] wrote: In my experience, Flex Builder Debug swfs have the same are subject to the same crossdomain access restrictions that production swfs have. I'm a bit suspicious of the claim that this is not the case. I think what is being said (if I'm understanding correctly) - running FB3 to load external XML (RSS, APIs, etc) - the security does not exist - crossdomain policy files are not required when running a SWF through FB3. However, when you deploy to production, crossdomain policy files ARE required. That being said - I think the issue lies with - why when we run test in development no security is required, but then to run the same application from a production site (running the swf in anything other than FB3 test). I (or anyone) may develope a fully functional site in FB3, thinking every thing is hunky dory, then move the SWF to production and crash - no crossdomain.xml file... then, as a developer I have to either 1) contact the publisher of the RSS, API, etc I'm trying to load, and ask them to kindly put up a crossdomain.xml policy file - which isn't likely to happen... or 2) Redevelop how my application loads data (no small thing). It kinda sucks I have to develop around an issue that doesn't exist in development but does in production. I understand the security concerns, but I think it's more on the side of - if I can do it in dev, why can't I do it in production? It'd be nice to at least be able to tell FB3 the app I'm developing will be loading from a site I have no control over which may or maynot have a crossdomain policy file... (ching, ching - my 2 cents)... This is exactly right. I would take it a step further though. If I can get to it with just a browser, then why is it that security is such that I cannot get to it without a crossdomain.xml file that authorizes it. Where is the security hole, if I can just browse to it with Firefox, I.E, Safari, or Opera?
