Also, Socket can be used to scan some
network-accessible computers and ports that are not accessible externally.
??? The class ExternalInterface allows the developer to run JavaScript in the
browser from Flash, for purposes such as reading and writing document.cookie.
??? The classes XML and URLLoader perform HTTP requests (with the browser
cookies) on behalf of the user to allowed domains, for purposes such as crossdomain
requests.
By default, the Flash security model is similar to the Same Origin Policy. Namely,
Flash can read responses only from the same domain in which the Flash application
originated. Flash also places some security around sending HTTP requests, but you can
usually make cross-domain GET requests via Flash??™s getURL() function. Also, Flash does
not allow Flash applications that are loaded over HTTP to read HTTPS responses.
Flash does allow cross-domain communication, if a security policy on the other
domain permits communication with the domain where the Flash application resides.
The security policy is an XML file usually named crossdomain.xml and usually located
in the root directory of the other domain. The worst policy file from a security perspective
looks something like this:
This policy allows any Flash application on the entire Internet to communicate (crossdomain)
with the server hosting this crossdomain.
Pages:
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394