ForumsDevelopersSupport for Flash and Silverlight


Support for Flash and Silverlight
Author Message
Mark Monster

Posted: Jul 01, 2009
Score: 0 Reference
Hi,

I'm a Silverlight developer, but my request also helps Flash developers.

Basically this feature has been discussed before (http://www.toodledo.com/forums/7/346/0/flash-widgets-and-crossdomainxml.html).

But basically I really would like to see a crossdomain.xml or a clientaccesspolicy.xml file at the root of api.toodledo.com so it would enable me and other Silverlight and Flash developers to integrate with Toodledo.

Is this possible in the near future?

I discussed this with Jake Olefsky in March 2009. He suggested to proxy the toodledo api so I could start development, we are now 3 months later. I hope there's a planned date for this.

-
Mark Monster
Jake

Toodledo Founder
Posted: Jul 01, 2009
Score: 0 Reference
I am not familiar with flash development and have not had a chance to learn it. If someone wants to create a crossdomain file for me, that gives access to the API, but restricts access to everything else, I'll be happy to install it after reviewing it.
Jake

Toodledo Founder
Posted: Jul 06, 2009
Score: 1 Reference
We now have a crossdomain policy so you can develop stuff in flash using our API.
Mark Monster

Posted: Oct 01, 2009
Score: 0 Reference
Thanks for this crossdomain policy file.
Jake

Toodledo Founder
Posted: Nov 05, 2009
Score: 0 Reference
We have temporarily removed our crossdomain policy file so that we can review it and potentially correct any security vulnerabilities that it might cause. Facebook and MySpace were both recently hit by a crossdomain flaw, and we want to make sure that we don't have the same issues. We'll restore this file once we figure it out.

Here is some background on the Facebook/MySpace flaw: http://www.yvoschaap.com/index.php/weblog/facebook_myspace_accounts_hijacked/
mike

Posted: Jan 10, 2010
Score: 0 Reference
Any plans for the return of these policy files? I have written a Silverlight client that I would like to use with Toodledo.

This message was edited Jan 10, 2010.
Jake

Toodledo Founder
Posted: Jan 10, 2010
Score: 0 Reference
We are still trying to figure out the best way to do this with while keeping our site secure. It may take a little restructuring on our end to get this back in place.
Mark Monster

Posted: Mar 10, 2010
Score: 0 Reference
Any news? It's difficult to start even writing an app against a platform that's unstable at the integration part.
Jake

Toodledo Founder
Posted: Mar 10, 2010
Score: 0 Reference
Sorry, no news. This requires some file structure restructuring on our side to do this without exposing ourselves to a security vulnerability and we haven't had a chance to do this yet. The difficult part is maintaining backwards compatibility with existing apps using the API.
Mark Monster

Posted: Mar 11, 2010
Score: 0 Reference
Posted by Toodledo:
Sorry, no news. This requires some file structure restructuring on our side to do this without exposing ourselves to a security vulnerability and we haven't had a chance to do this yet. The difficult part is maintaining backwards compatibility with existing apps using the API.


Can you explain this in a little bit more detail? Why not have an additional url (for example api.toodledo.com) where the api will be hosted in the future, that url is for example in that case the only one with a crossdomain.xml. The existing apps are still using www.toodledo.com for their API calls but don't require the crossdomain, because if they did, it wouldn't have worked.

Maybe it's just me missing a few details.
Jake

Toodledo Founder
Posted: Mar 11, 2010
Score: 0 Reference
Yeah, that is basically what we need to do, but it requires restarting the web server and moving a bunch of files around, so we haven't done that yet. We are doing an internal reorganization/cleanup of code right now. Once we are done, it will be easier for us to do this.
Mark Monster

Posted: Mar 11, 2010
Score: 0 Reference
Any planned dates where we can work towards?
Jake

Toodledo Founder
Posted: Mar 11, 2010
Score: 0 Reference
This is on our to-do list, but it is our policy to not comment on our roadmap or delivery dates for future feature improvements.
Mark Monster

Posted: Mar 13, 2010
Score: 0 Reference
Thanks for this comment. I understand this policy and will look for alternative solutions.
mike

Posted: Jun 07, 2010
Score: 0 Reference
The "vulnerability" has the same threat from Flash, Silverlight, or any other service calling the API. There's nothing Flash or Silverlight specific about it. A desktop app or browser request that doesn't use a crossdomain.xml or clientaccesspolicy.xml would pose the same "threat" as a Silverlight or Flash app. So removing the .xml files doesn't really protect anything. It just ensures that the attack vector won't include Silverlight or Flash. What can be done, is to create a proxy service (even with a simple ashx file) on the host of the Silverlight app. Just pass the request through to Toodledo, and stream the response back. I've had success with this approach. Also, using a trusted Silverlight application out of browser doesn't access the clientaccesspolicy.xml files, so you can use the Toodledo APIs without any problem. This is the approach that my current app is using for a full Silverlight client.
You cannot reply yet

U Back to topic home

R Post a reply

To participate in these forums, you must be signed in.