Ok, so we all know how much the Flash Player security model blows. So, because we weren’t in enough pain, Adobe is in the process of making the player even more strict (which is good) by giving you even more mundane tasks to complete if you ever want to do something totally crazy and out there like load SWFs from a subdomain.
You’ve probably already dealt with the crossdomain.xml file, but there are a few changes that you can make to it now, specifically to prohibit crossdomain spoofing if you allow file uploads. You can set the crossdomain file in the root of your folder to be the meta-mega-powerful-nothing-else-counts crossdomain file now.
The really great part about all of this is that regardless of how your set your crossdomain files, Flash Player will NEVER let you load a SWF from another domain and operate on it without the Security.allowDomain() set on the loaded SWF. It doesn’t matter if your crossdomain is as loose as a college cheerleader, or if you do the meta-crossdomain file, or set a crossdomain on both the loading and loaded domain. It doesn’t matter. The only way to get around this is to create a proxy SWF on the domain of the loaded site and pass in the URL that’s on the same domain as the proxy that you actually want to load.
More info on the Flash Player 9 Security Updates.
Subscribe to Zorked!