Re: [Gnash] spyware buried in Flash movies

[strk]

On Fri, Jan 27, 2006 at 02:33:39AM -0200, Claus Wahlers wrote:
...
> btw, for cross domain requests flash requires a contract between the
> server that is making the request and the server that is receiving it.

That contract is the more dumb and irritating thing found
in the proprietary player. Welcom Gnash!

Basically everytime the bytecode asks the player to load a
.jpg or .xml which is not locate under the base url (the
one from which the hosting Movie was loaded) the proprietary
implementation insists on getting explicit permission from
the target server, and tries to fetch a file named
cross-domain.xml from the target server root.

This is very frustrating as it's neither the user (who runs
the flash player application) nor the author of the main movie
being played that controls this. 

Note that most .jpeg found on the net can *not* be loaded 
from the proprietary player due exactly to this *insane*
limitation (people don't put cross-domain.xml files around
for the sake of it). So basically a resource that can be
linked from any *normal* HTML page can *not* be linked from
flash movies.

My vote is for happily disreguard this and not implement
cross-domain (in)security model as a whole. As an alternative
we might make this a user setting, just to allow people to
test their movies in 'MM-compatible' mode.

Again: if people want to defend their resources from being
externally loaded they should use protocol-specific methods
for that, and not rely on a client application fascist
restriction.

Welcome Gnash!

--strk;