A site dedicated to crossdomain.xml
I just stumbled on a simple little site called crossdomainxml.org that is devoted to the hugely useful yet somewhat shy and strangely mysterious crossdomain.xml file.
In the early days of Flash, the security sandbox was quite lax and sandbox security errors were almost unheard of. With each new version, however, Adobe (ok, ok, Macromedia) heightened the security of the player to address XSS (cross-site scripting) issues and other security concerns (like the hijacking of trusted network data from untrusted networks).
Instead of blocking data transfer between domains fully as Ajax does, however, Macromedia implemented the crossdomain.xml file so that server administrators can grant access to the data on their servers to either a list of selected domains or to any domain. Among other things, this makes it possible to consume web services from various public web APIs without using a server-side proxy but it does mean that the server has to implement either an open crossdomain.xml file (use the allow-access-from domain="*" rule) or that the server administrator has to add your domain to the list of allowed domains in the crossdomain.xml file. But which public services do this? This is where crossdomainxml.org comes in.
The site currently lists four public web service providers that have implemented open crossdomain.xml files. These are Yahoo!, YouTube, Flickr, and Amazon. It also links to several articles with more information on crossdomain.xml files.
I'm glad to see high-profile services implementing the crossdomain.xml file as it means that Flash developers can play with these services easily and create fun mashups without writing server-side code. For real-world applications, of course, you should be consuming web services on the server and exposing the data to your Flash/Flex client through an efficient protocol such as Flash Remoting (AMF).
Consuming web services on the server as several advantages. Most importantly, there's the security advantage. Always remember never to put any sensitive information inside your public-facing SWF files. For example, I cringe whenever I see ActionScript that contains database connection information -- you might as well not use a password if you're going to do that. This also applies to any private keys you may be using to access a web service. Don't forget that anyone can disassemble a SWF to get at any information that's included in it. At the very least, they can use your key to make API requests and use up your quota. If the web service is one that you are paying for, this could be an expensive mistake to make! Consuming services on the server also means that you can implement redundancies in case the public web service becomes available (e.g., use a local cache.)
Comments
by Claus Wahlers on 2006-09-23 15:41:16
by Owen van Dijk on 2006-09-23 17:35:51
by ktec on 2006-09-29 09:06:01
by Svetoslav Sotirov on 2006-09-29 16:02:50
by Thibault Monereau, le blog » A site dedicated to crossdomain.xml on 2006-12-12 12:46:53
by Romano on 2008-01-29 14:40:17
by Ahmet on 2008-10-31 08:50:26
by Stefan Richter on 2008-11-06 09:44:52
by johnny on 2008-07-30 18:56:11
by çet on 2008-10-23 21:29:06
by karaz on 2008-10-02 06:11:25
by Decosta on 2009-01-29 00:58:17
by Joe Gannon on 2009-07-14 15:27:37
by Sağlık Videoları on 2010-01-25 23:50:45
by Blogcu on 2010-01-23 15:55:16
by sikis izle on 2010-01-23 17:03:00
by sikis izle on 2010-01-23 17:03:32
by sikis on 2010-01-23 17:04:33
by yalitim on 2010-01-23 17:04:53
by amatör sesler on 2010-01-23 18:37:41
by driver download on 2010-01-23 19:41:26
by driver download on 2010-01-23 19:42:01
by Emzik on 2010-02-28 15:11:52
by steve elson on 2010-04-22 21:34:02
by Johannes on 2010-06-01 10:28:03
by driver indir on 2010-05-18 18:36:00
by Kaleb Hornsby on 2010-10-14 23:07:48
by ugg boots on 2010-12-14 03:39:51
by Multihack indir on 2011-03-27 20:08:02
by Driver indir on 2011-03-27 20:07:40
by Driver indir on 2011-04-06 05:47:03
by Bitkisel Çözüm on 2011-04-06 05:47:35
by Akliselim on 2011-04-06 05:48:02
by Liz Embleton on 2012-04-10 22:59:47