Flash crossdomain.xml

[therube]

Looking in Error Console & I see ...

Code: Select all

[ABE] <LOCAL> Deny on {GET http://127.0.0.1:7092/crossdomain.xml <<< http://www.splayer.org/}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

"Searching" for crossdomain.xml & I find a version in my IE TIF directory (dated 05/08/2009).

Code: Select all

<cross-domain-policy><allow-access-from domain="*" to-ports="*" /></cross-domain-policy>

Seems that crossdomain.xml is used by Flash, External data not accessible outside a Flash movie's domain.

So it looks like ABE blocked "access" to (a different) crossdomain.xml - today.
Should it have?

Whilst blocked, I get no Flash video playback.

If I disable ABE, I then end up with a new crossdomain.xml in %TMP%\plugtmp, & the Flash video plays.

Code: Select all

<?xml version="1.0"?>
<cross-domain-policy>
  <allow-access-from domain="*" />
</cross-domain-policy>

Should ABE correctly be protecting us here?
Possibly? Probably?
Is the bigger issue that the splayer site is mis-configured & if it were configured correctly, then the issue would not arise?


Another crossdomain.xml for reference, http://twitter.com/crossdomain.xml:

Code: Select all

<cross-domain-policy xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com"/>
<allow-access-from domain="api.twitter.com"/>
<allow-access-from domain="search.twitter.com"/>
<allow-access-from domain="static.twitter.com"/>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-http-request-headers-from domain="*.twitter.com" headers="*" secure="true"/>
</cross-domain-policy>

Crossdomain.xml Invites Cross-site Mayhem

Allowing cross-domain data loading

About custom policy file locations


(On a side note, there may be issues with Flash & IPv6.)


(Allowing splayer.org & clicking on the displayed "player") there is (at least) one video (as random ones pop up) that generates the ABE warning, this, the green one, http://i30.tinypic.com/1pgw8k.jpg.

[Flash_Gordon]

Well I can't help you, but this makes me think that ABE monitors cross site requests made by Flash, thus made by plugins in general... Good thing if that's true!

Is that true Giorgio?

[therube]

Yes it is a good thing.

No, not cross site requests made by Flash directly, but by the website itself - splayer in my case.
Splayer is trying to read a local file on my computer & ABE is rightfully blocking it.

[Giorgio Maone]

No, not cross site requests made by Flash directly, but by the website itself - splayer in my case.

Yes, but it's a Flash object performing the request.
Therefore both you and Flash Gordon are right.
BTW, therube, have you actually got a web server running on http://127.0.0.1:7092 ?

[therube]

have you actually got a web server running on http://127.0.0.1:7092 ?

No.

[Flash_Gordon]

Not willing to divert the topic but I'm really surprised that NoScript can monitor requests made by embedded plugins (Flash in this case). That's great news, I thought external communications launched by and from an embedded plugin were out of a Firefox add-on's reach.

A little more confident with plugins now
(Noscript still can't access Adobe Reader's inner javascript for instance, which is perfectly normal. Well actually I thought it was also perfectly normal that Flash requests were out of reach - glad if I'm wrong!)

[/Off-topic]