Mailing List
Home
Flash Pro
Extending Flash
Flash Macromedia Developer
Subjects
Firework Effect
setInterval bug identified and fixed
setInterval bug identified and fixed
ScrollPane component doesn 't auto update
Help: MX 2004 How to script a print button to print the entire sli
Event Dispatcher between classes
memory management removeMovieClip /
MX2004 Dataset itemClassName
Order of events per frame
XML to Object help
Textfield prototype question
Flash and QuickTime VR
Reading and displaying RSS feeds in Flash MX
Flash MX 2004 Sucks
AW: [Flashcoders] Switch/Case vs If/else
AW: [Flashcoders] Switch/Case vs If/else
Flash Interface with 10mb xml file
Web Service Results
Listener Object 's best practice
 
Search:  
Power your search with and, or, +, -, or "some phrase" operators.
RE: [Flashcoders] XML socket policy files on ports < 1024 (SECURITY
ISSU

RE: [Flashcoders] XML socket policy files on ports < 1024 (SECURITY
ISSU

2004-02-17       - By Paul Lemon

 Back
Jason,

Thanks fors your input on this.

I am still confused. I have read that document and was aware of that policy files that are served from XMLSocket servers must contain port ranges. The xml I sent you was served from the HTTP server.

In the that document it states

<quote >
A policy file obtained from the default location ( /crossdomain.xml on an HTTP server on port 80) implicitly authorizes XMLSocket access to all ports 1024 and above. There is no way to retrieve a policy file to authorize XMLSocket operations from any other location on an HTTP server; any custom locations for XMLSocket policy files must be on an XMLSocket server.

To connect an XMLSocket to a port lower than 1024, you must always first load a policy file with loadPolicyFile, even when your movie connects to its own exact domain.
</quote >

But the behaviour that I am apparently seeing is in contradiction of this. The crossdomain.xml file served from an HTTP server is allowing the player to connect to a port <1024. Either that or the movie is being permitted to connect regardless of the content of the policy file.

Paul


> -- --Original Message-- --
> From: Jayson K Hanes [mailto:jayson@(protected)]
> Sent: 17 February 2004 10:05
> To: flashcoders@(protected)
> Subject: RE: [Flashcoders] XML socket policy files on ports < 1024
> (SECURITY ISSUE?)
>
>
> In fact, it is.
>
> You need to define port ranges in the crossdomain.xml file..
>
> See:
>
> http://www.macromedia.com/devnet/mx/flash/articles/fplayer_sec
urity_03.h
tml

Example:

<?xml version= "1.0 "? >
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd " >
<!-- Policy file for xmlsocket://socks.mysite.com
-- > <cross-domain-policy >
<allow-access-from domain= "* " to-ports= "507 " / >
<allow-access-from domain= "*.mysite.com " to-ports= "507,516 " / >
<allow-access-from domain= "*.myothersite.com " to-ports= "516-523 " / > <allow-access-from domain= "www.myothersite.com "
to-ports= "507,516-523 " / >
<allow-access-from domain= "www.mysite.com " to-ports= "* " / >
</cross-domain-policy >


Hope that helps.

-Jayson

> -- --Original Message-- --
> From: Paul Lemon [mailto:paull@(protected)]
> Sent: Tuesday, February 17, 2004 5:01 AM
> To: flashcoders@(protected)
> Subject: RE: [Flashcoders] XML socket policy files on ports < 1024
> (SECURITY ISSUE?)


=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Supported by Fig Leaf Software
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Be sure to check the archives and the wiki:
http://chattyfig.figleaf.com/
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104422
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
To unsubscribe send a blank e-mail to:
Normal Mode: flashcoders-unsubscribe@(protected)
Digest Mode: flashcoders-digest-unsubscrive@(protected)



**********************************************************************
Copyright in this message and its attachments remains with us. This email represents the views of the author, which may not be the views of the Company.

The information contained in this message is confidential and is intended for the addressee only. If you are not the intended recipient of this message please notify the sender and delete this message from your system immediately. The unauthorised use, disclosure, copying, distribution or alteration of this message is strictly forbidden.

Please note that we reserve the right to monitor and read internal and external e-mails.

Although we have checked this e-mail for viruses, it is not guaranteed to be virus free and it is your responsibility to scan the message and attachments prior to opening them. We do not accept any responsibility for the consequences of passing on any virus.

**********************************************************************


=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Supported by Fig Leaf Software
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Be sure to check the archives and the wiki:
http://chattyfig.figleaf.com/
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:mss:104423
=-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
To unsubscribe send a blank e-mail to:
Normal Mode: flashcoders-unsubscribe@(protected)
Digest Mode: flashcoders-digest-unsubscrive@(protected)