What happens when Flash accesses an https resource?

Question

If a swf located at http://example.com/test.swf makes a request to https://secure.com/webservice.xml, what happens? Adobe's documentation on cross domain policy files notes the "secure" attribute.

secure: [HTTPS and Sockets only, optional] Specifies whether access is granted only to HTTPS documents from the specified origin (true) or to all documents from the specified origin (false). If secure is not specified in an HTTPS policy file, it defaults to true. Using false in an HTTPS policy file is not recommended because this compromises the security offered by HTTPS; for example, allowing man-in-the-middle attacks to gain access to the HTTPS data protected by the policy file.

Does this mean the Flash player will actually make an HTTP request, rather than HTTPS? Is the issue that there's a presumption of less trust for .swf files being served from a non-secure domain? If the Flash player makes a proper SSL request, I don't see where the additional man-in-the-middle vulnerability comes from. And if it doesn't, I have to think the web server would probably be configured to reject it.

Answer 1

Nope. If you set attribute secure to false Flash application wouldn't make an http request. It would make https request to source that is published through https. But the main idea is that this attribute set to false allows Flash to make connections to other http resources. "Man in the middle" attack could be made in this moment. Imagine situation. Your Flash application loads some documents from https, and process them on some web server, using it's api, but through http, not secured, connection. Data that was loaded from https would be passed by Flash to web server through simple http. If you set secure attribute to true this will tell Flash that documents from https require security. And Flash would not make simple http request from that time anymore, because data from https could be probably been inserted in this not secure requests by program algorithm.