Tuesday, May 30, 2006

Curiosity is bliss: Cross-domain AJAX using Flash

Why does Flash allow this? Doesn't this pretty much blow a hole in browser security? One more reason I'm glad I have this stuff blocked.

EDIT: it appears this isn't nearly as bad as it looks, because of the requirement to use crossdomain.xml files on the server-side.

It still seems like you could write some sort of port-scanning flash movie that can tell whether a request failed because of lack of crossdomain.xml or because of a host/port not responding. Maybe by timing how long it takes for it to fail? I don't know enough about flash to know how to try it.