ForumsDevelopersSupport for Flash and Silverlight
Support for Flash and Silverlight
| Author | Message |
|---|---|
|
Mark Monster |
Hi,
I'm a Silverlight developer, but my request also helps Flash developers. Basically this feature has been discussed before (http://www.toodledo.com/forums/7/346/0/flash-widgets-and-crossdomainxml.html). But basically I really would like to see a crossdomain.xml or a clientaccesspolicy.xml file at the root of api.toodledo.com so it would enable me and other Silverlight and Flash developers to integrate with Toodledo. Is this possible in the near future? I discussed this with Jake Olefsky in March 2009. He suggested to proxy the toodledo api so I could start development, we are now 3 months later. I hope there's a planned date for this. - Mark Monster |
|
Jake Toodledo Founder |
I am not familiar with flash development and have not had a chance to learn it. If someone wants to create a crossdomain file for me, that gives access to the API, but restricts access to everything else, I'll be happy to install it after reviewing it.
|
|
Jake Toodledo Founder |
We now have a crossdomain policy so you can develop stuff in flash using our API.
|
|
Mark Monster |
Thanks for this crossdomain policy file.
|
|
Jake Toodledo Founder |
We have temporarily removed our crossdomain policy file so that we can review it and potentially correct any security vulnerabilities that it might cause. Facebook and MySpace were both recently hit by a crossdomain flaw, and we want to make sure that we don't have the same issues. We'll restore this file once we figure it out.
Here is some background on the Facebook/MySpace flaw: http://www.yvoschaap.com/index.php/weblog/facebook_myspace_accounts_hijacked/ |
|
mike |
Any plans for the return of these policy files? I have written a Silverlight client that I would like to use with Toodledo.
This message was edited Jan 10, 2010. |
|
Jake Toodledo Founder |
We are still trying to figure out the best way to do this with while keeping our site secure. It may take a little restructuring on our end to get this back in place.
|
|
Mark Monster |
Any news? It's difficult to start even writing an app against a platform that's unstable at the integration part.
|
|
Jake Toodledo Founder |
Sorry, no news. This requires some file structure restructuring on our side to do this without exposing ourselves to a security vulnerability and we haven't had a chance to do this yet. The difficult part is maintaining backwards compatibility with existing apps using the API.
|
|
Mark Monster |
Posted by Toodledo:
Sorry, no news. This requires some file structure restructuring on our side to do this without exposing ourselves to a security vulnerability and we haven't had a chance to do this yet. The difficult part is maintaining backwards compatibility with existing apps using the API. Can you explain this in a little bit more detail? Why not have an additional url (for example api.toodledo.com) where the api will be hosted in the future, that url is for example in that case the only one with a crossdomain.xml. The existing apps are still using www.toodledo.com for their API calls but don't require the crossdomain, because if they did, it wouldn't have worked. Maybe it's just me missing a few details. |
|
Jake Toodledo Founder |
Yeah, that is basically what we need to do, but it requires restarting the web server and moving a bunch of files around, so we haven't done that yet. We are doing an internal reorganization/cleanup of code right now. Once we are done, it will be easier for us to do this.
|
|
Mark Monster |
Any planned dates where we can work towards?
|
|
Jake Toodledo Founder |
This is on our to-do list, but it is our policy to not comment on our roadmap or delivery dates for future feature improvements.
|
|
Mark Monster |
Thanks for this comment. I understand this policy and will look for alternative solutions.
|
|
mike |
The "vulnerability" has the same threat from Flash, Silverlight, or any other service calling the API. There's nothing Flash or Silverlight specific about it. A desktop app or browser request that doesn't use a crossdomain.xml or clientaccesspolicy.xml would pose the same "threat" as a Silverlight or Flash app. So removing the .xml files doesn't really protect anything. It just ensures that the attack vector won't include Silverlight or Flash. What can be done, is to create a proxy service (even with a simple ashx file) on the host of the Silverlight app. Just pass the request through to Toodledo, and stream the response back. I've had success with this approach. Also, using a trusted Silverlight application out of browser doesn't access the clientaccesspolicy.xml files, so you can use the Toodledo APIs without any problem. This is the approach that my current app is using for a full Silverlight client.
|
You cannot reply yet
U Back to topic home
R Post a reply
To participate in these forums, you must be signed in.