Tuesday, May 30, 2006
Curiosity is bliss: Cross-domain AJAX using Flash
Why does Flash allow this? Doesn't this pretty much blow a hole in browser security? One more reason I'm glad I have this stuff blocked.
EDIT: it appears this isn't nearly as bad as it looks, because of the requirement to use crossdomain.xml files on the server-side.
It still seems like you could write some sort of port-scanning flash movie that can tell whether a request failed because of lack of crossdomain.xml or because of a host/port not responding. Maybe by timing how long it takes for it to fail? I don't know enough about flash to know how to try it.
EDIT: it appears this isn't nearly as bad as it looks, because of the requirement to use crossdomain.xml files on the server-side.
It still seems like you could write some sort of port-scanning flash movie that can tell whether a request failed because of lack of crossdomain.xml or because of a host/port not responding. Maybe by timing how long it takes for it to fail? I don't know enough about flash to know how to try it.
