gnash-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash-dev] default load policy in gnashrc


From: strk
Subject: Re: [Gnash-dev] default load policy in gnashrc
Date: Mon, 20 Nov 2006 16:13:37 +0100

On Mon, Nov 20, 2006 at 07:43:28AM -0700, Rob Savoye wrote:
> strk wrote:
> 
> > If you *do* have both 'whitelist' and 'blacklist', the
> > blacklist won't be used.
> 
>  Both should get used, in addition to the "localdomain()" value.  If a
> file that is to be loaded isn't in the whitelist or blacklist, then the
> value of localdomain (the only real security setting for Flash) is used
> to determine if it should be loaded or not.

The only security setting for Flash has nothing to do with the "local" 
domain. Rather, load from domains that are outside of the "toplevel movie's
domain" are denied by default, unless the *host* of the *external* movie
has a crossdomain.xml file saying something different.
For example, with the MM player, you play:

        http://one.site.com/myflash.swf

In turn, that flash loads an advertisement with getURL or loadMovie from:

        http://www.adv.com/adv1.swf

Unless a file 'http://www.adv.com/crossdomain.xml' contains a permission
for 'one.site.com' to load SWF files, the MM player will silently fail
in loading that.

No control for the user with the MM player.

--strk;




reply via email to

[Prev in Thread] Current Thread [Next in Thread]