tags:

views:

91

answers:

1
+5  Q: 

Cross domain requests: Javascript vs Flash

As you might know, browser's security model does not allow a script loaded in a page from http://www.example.com to make cross-domain requests (no AJAX calls to any other domain other than www.example.com). The Javascript file itself could have been served from a different domain altogether (www.javascript.com/myscript.js) and that is irrelevant. This is the Same-Origin Policy.

Flash also has something similar? But does Flash treat the origin to be the HTML page where the .swf file was loaded or origin is the domain which served the .swf file?

So http://www.example.com loads a .swf file from http://www.swf.com/myflash.swf. Now .swf can load resources only from www.example.com or only www.swf.com? I'm assuming there are no cross-domain.xml files setup on either example.com or swf.com.

+3  A: 

I think, this article explains a lot about the problem you mention: http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html

From there:

For website owners, all user-supplied content should be served from a completely separate domain. This is already implemented by Yahoo mail, Hotmail, Wikipedia, and many other major websites, but a huge variety of self-contained web applications do not do so (and if I can, for example, upload a malicious file to "apiwiki.twiitter.com", I can perform cross-subdomain cookie attacks). A partial solution was made possible by Flash 10,0,0,2: SWF files served with a "content-Disposition: attachment" header will not execute when embedded in a web page. If all user-generated content is served with this header (not a bad idea in any case), it may limit your exposure, but this is not a very robust solution.

It sounds like if you serve the content from a different domain and there are no cross-domain policy files, then flash cannot access files from your main server.

Also, this article: http://supergeekery.com/index.php/geekblog/2009/12 states that

And everything I write should be able to trust each other and share with each other. You may wonder if Flash Ads are a problem. Do they have this problem? No, there are Flash ads all over the internet, but since they are almost never hosted on the same server as the domain you’re visiting, they don’t get to access the data the web site’s primary code’s data. Cool.

naivists  2010-01-25 11:44:41
The Flash Ads argument does make sense. The Flash ad's swf should be able to load content from the adserver but unable to access anything from the server which has the ad embedded in a page.This should also explain how sites like youtube, scribd.com can support embedding on 3rd-party sites. When they provide you with the <embed> code they don't really know where you're going to embed that object (which means they cannot really go and edit their cross-domain.xml to include your domain).
Harish  2010-01-25 13:04:02

related questions

Make Browser Window Blink in Task Bar
Large File Download
Browser's Default CSS
Disable browser 'Save Password' functionality
What's the simplest way to decremement a date in Javascript by 1 day?
Browser scrollbar
Limitations of screen readers.
Version detection with Silverlight
Best way to fix CSS/JS drop-down problem in IE7 when page includes Google Map
Recommendations for browser add-on tools to help with development
Hyperlinks displaced on IE7
Building Standalone Applications in JavaScript
HTML differences between browsers
Browser Sync accross many machines
Getting selected text in a browser, cross-platform.
How to get PNG transparency working in browsers that don't natively support it?
Best WYSIWYG CSS editor?
Javascript events
Preferred way to use favicons?
IE6: To support or not to support.
Getting the text from a drop-down box
Other browsers
Drag and Drop to a hosted Browser control
How can I tell if a web client is blocking ads?
How can I determine a web user's time zone?