Is there any "client side only" way to protect a SWF so it'd only be possible to load it from domain X?
I'm aware of the server side options such as checking the referrer but unfortunately my server is a "static" CDN where this implementation isn't possible.
I wonder why flash cross-domain security files do not seem to handle this scenario as well.
Thanks
Well if youre using the Dynamic embedding with SWFObject, you could scan window.location to verify the domain before performing the embedding action and bail if its not correct. However, thats just goins to prevent it from being displayed in the page... someone could easily look through your JS source and get the direct URL or something of that nature.
EDIT:
Regarding the above you could link to a PHP/ASP/etc file on your server that checks the referrer and then if its ok, relays the actual data. This kind of defeats the purpose of the CDN though.
Generally, I live by the rule that if you put anything on a public server thats not behind some kind of authentication the only thing you can do is make it more of a hassle to get at what you want to protect - there is always a way around it if the user is willing to go that extra mile.