Also, Flash does not allow Flash applications that are loaded over HTTP to read HTTPS
responses.
Flash does allow cross-domain communication, if a security policy on the other
domain permits communication with the domain where the Flash application resides.
The security policy is an XML file usually named crossdomain.xml and usually located
in the root directory of the other domain. The worst policy file from a security perspective
looks something like this:
This policy allows any Flash application to communicate (cross-domain) with the
server hosting this crossdomain.xml file.
The policy file can have any name and be located in any directory. An arbitrary
security policy file is loaded with the following ActionScript code:
System.security.loadPolicyFile("http://public-" +
"pages.univeristy.edu/crossdomain.xml");
If it is not in the server??™s root directory, the policy applies only to the directory in
which the policy file is located, plus all subdirectories within that directory. For instance,
Chapter 2: Cross-Site Scripting 31
suppose a policy file was located in http://public-pages.
Pages:
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102