I have a swf one one server that is pulling content from an Amazon S3 server. I have set up, for now, a generic cross-domain policy to allow all domains access:
On the server containing the swf:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
On the S3 server:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only" />
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*"
headers="SOAPAction" />
</cross-domain-policy>
These seem to be playing nicely (for the most part) as my swf is loading json, xml, etc. files from the S3 server just fine now. What it's not doing right is loading swfs from the S3 server, when it tries to do that it throws this exception:
SecurityError: Error #2121: Security sandbox violation: Loader.content: s3.amazonaws.com/bucket_name/swfs/foo.swf cannot access s3.amazonaws.com/bucket_name/data/swfs/bar.swf. This may be worked around by calling Security.allowDomain.
I assume this is because remote swfs could contain malicious executable code. Do I actually need to set the allowDomain to something or is there some other 'more correct' way of allowing my swf to load up other remote swfs?
