<div>I am looking at fixing an issue with how we display image assets in</div><div>swf9, and I was trying to remove the bitmap conversion step from the</div><div>swf9 LzSprite implementation, and when I did that, I noticed these</div>
<div>warnings print out in fdb, and the thumbnails do not appear:</div><div><br></div><div><br></div><div>[SWF] /trunk4/demos/amazon/amazon.lzx - 133 bytes after decompression</div><div>[trace] Warning: Domain <a href="http://ecx.images-amazon.com">ecx.images-amazon.com</a> does not specify a meta-policy. Applying default meta-policy 'all'. This configuration is deprecated. See <a href="http://www.adobe.com/go/strict_policy_files">http://www.adobe.com/go/strict_policy_files</a> to fix this problem.</div>
<div>[trace] Error: Request for resource at <a href="http://ecx.images-amazon.com/images/I/411XEC9SEYL._SL75_.jpg">http://ecx.images-amazon.com/images/I/411XEC9SEYL._SL75_.jpg</a> by requestor from <a href="http://127.0.0.1:8080/trunk4/demos/amazon/amazon.lzx?lzt=swf&debug=true&lzr=swf9">http://127.0.0.1:8080/trunk4/demos/amazon/amazon.lzx?lzt=swf&debug=true&lzr=swf9</a> is denied due to lack of policy file permissions.</div>
<div>[trace] *** Security Sandbox Violation ***</div><div>[trace] Connection to <a href="http://ecx.images-amazon.com/images/I/411XEC9SEYL._SL75_.jpg">http://ecx.images-amazon.com/images/I/411XEC9SEYL._SL75_.jpg</a> halted - not permitted from <a href="http://127.0.0.1:8080/trunk4/demos/amazon/amazon.lzx?lzt=swf&debug=true&lzr=swf9">http://127.0.0.1:8080/trunk4/demos/amazon/amazon.lzx?lzt=swf&debug=true&lzr=swf9</a></div>
<div>[trace] Error: Request for resource at <a href="http://ecx.images-amazon.com/images/I/311A24YVH6L._SL75_.jpg">http://ecx.images-amazon.com/images/I/311A24YVH6L._SL75_.jpg</a> by requestor from <a href="http://127.0.0.1:8080/trunk4/demos/amazon/amazon.lzx?lzt=swf&debug=true&lzr=swf9">http://127.0.0.1:8080/trunk4/demos/amazon/amazon.lzx?lzt=swf&debug=true&lzr=swf9</a> is denied due to lack of policy file permissions.</div>
<div><br></div><div><br></div><div>And indeed, the domain <a href="http://ecx.images-amazon.com">ecx.images-amazon.com</a> that serves these images</div><div>has this crossdomain.xml file which restricts access</div><div>
<br></div><div> <cross-domain-policy></div><div> <allow-access-from domain="*.<a href="http://images-amazon.com">images-amazon.com</a>"/></div><div> <allow-access-from domain="<a href="http://images.amazon.com">images.amazon.com</a>"/></div>
<div> <allow-access-from domain="<a href="http://g-images.amazon.com">g-images.amazon.com</a>"/></div><div> <allow-access-from domain="*.<a href="http://ssl-images-amazon.com">ssl-images-amazon.com</a>"/></div>
<div> <allow-access-from domain="*.<a href="http://amazon.com">amazon.com</a>"/></div><div> <allow-access-from domain="<a href="http://cea.target.com">cea.target.com</a>"/></div><div>
<allow-access-from domain="<a href="http://xyccea.target.com">xyccea.target.com</a>"/></div><div> <allow-access-from domain="<a href="http://testcea.target.com">testcea.target.com</a>"/></div>
<div> <allow-access-from domain="<a href="http://devcea.target.com">devcea.target.com</a>"/></div><div> <allow-access-from domain="<a href="http://sites.target.com">sites.target.com</a>"/></div>
<div> </cross-domain-policy></div><div><br></div><div><br></div><div>But strangely in our code in trunk, running the amazon app in swf9</div><div>DOES still display the album images. But it also prints out these same</div>
<div>warnings, indicating that access was denied! </div><div><br></div><div>So it seems like maybe there's a bug in the Flash 9 security implementation, whereby</div><div>access to the images is possible if you ask for them as bitmaps, but</div>
<div>not if you try to display them directly as jpgs. I'm pretty confused, but it seems pretty</div><div>clear that the crossdomain.xml file is trying to restrict access to these images, yet</div><div>we are fetching and displaying them anyway. </div>
<div><br></div><div><br></div><div><br></div><div>I'm trying to figure out if there is something else I am missing here,</div><div>but it looks like Max inadvertently found a flash player security</div><div>hole.</div>
<div><br></div><br>-- <br>Henry Minsky<br>Software Architect<br><a href="mailto:hminsky@laszlosystems.com">hminsky@laszlosystems.com</a><br><br><br>