The websites my application have to access is:

My own, via HTTPS

reCAPTCHA to fetch a challenge string, via HTTPS

A separate website, via HTTP

My own, I can host any type of required policy file. I'd of course need help with what the policy file needs to include, though.

reCAPTCHA, I need to fetch a challenge string, which then is used to fetch the CAPTCHA (https://api.recaptcha.com/image?k=<challenge string> i think) and later I need to submit the answer there to check it.

A separate website, after I check the answer with reCAPTCHA it will give me a token which my application then needs to submit to that website.

All requests are currently through HTTP, I don't know how to communicate through HTTPS yet and need help with that.

With the separate website, it's a type of ranking website that needs all of the requests to it to be through unique IP addresses, and so I need the applet to send/receive data to/from that website directly from the user's computer.

reCAPTCHA checking involves submitting the value of $_SERVER['REMOTE_ADDR'] which reCAPTCHA checks to make sure is the IP address that requested the CAPTCHA, so I need the applet to send/receive data to/from that from the user's computer as well.

My own website, I can add any workaround on that as I want.

You may know, there's no hope of me getting Google to add a policy file or whatever onto reCAPTCHA without it going at least a few months of approval process and also there's no way I can use a proxy because then the IP logged is the proxy's IP rather than the user's IP.

Not sure what you mean by sandbox. I'm currently using HTTPService if that helps at all, it works fine locally but if I try HTTPS it won't work, and if I try loading it onto my website it will never load the CAPTCHA.

Regards.

It is a HTML based website, I'm just using this application to check the CAPTCHA itself.

I can't do it in Javascript, needed to be done entirely in Flash. Besides, Javascript has cross-domain restrictions too.

The crossdomain.xml on reCAPTCHA is:

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="by-content-type" /></cross-domain-policy>

I have no idea what it means for me though.

The crossdomain.xml on the other website is nonexistant, and there's no way I can get them to add it, believe me I've tried something similar with it, a even smaller modification and it was turned down.

I'm ok with even a warning box saying "Are you sure you want to allow this to connect to http;//domain.com", it's a fully legitimate application and two legitimate websites, nothing shady.

Regards.

They're doing it entirely in Javascript or IFrames. The issue is, here, there is a requirement to validate the CAPTCHA on the client side and in order to do that I need to call out to reCAPTCHA.

Oh, and when they do it via Javascript that Javascript file is loaded from reCAPTCHA's domain.

It needs to be done entirely in Flash because obfuscated Flash is much more difficult to patch than obfuscated Javascript and the implementation I'm doing requires that tiny extra bit of security.

It's a very different implementation I'm doing.

Basically: It's a ranking site, I need a way to get a callback when the user votes. Some of these ranking sites do not provide a callback or even a "Vote success" message so I have to do this type of workaround.

So, no way, even if I were to have a security popup display or something?

Alright, so I get this error:

[RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"]

    at mx.rpc::AbstractInvoker/http://www.adobe.com/2006/flex/mx/internal::faultHandler()

    at mx.rpc::Responder/fault()

    at mx.rpc::AsyncRequest/fault()

    at DirectHTTPMessageResponder/securityErrorHandler()

    at flash.events::EventDispatcher/dispatchEventFunction()

    at flash.events::EventDispatcher/dispatchEvent()

    at flash.net::URLLoader/redirectEvent()

So even if like stated here (http://kb2.adobe.com/cps/142/tn_14213.html), "When placed on a server, it tells the Flash Player to allow direct access to data on that server, without prompting the user grant access." if I were to have a prompt show up, no way?

What would be the proper way to pass the requests to Javascript and get the results back then?

So there is no way at all for me to get that data via the browser, even if via Javascript or anything? Proxies won't work because then it'd always be my server's IP logged rather than the user's.

Heh. Would this application be impossible to make then, in this case?

I thought the crossdomain thing was to prevent flash files from sending /localhost or /intranet_tradesecrets, not to prevent the usage of a public API.

So short of going to Google and making them update their crossdomain this is hopeless?

Well, I can't exactly control what CAPTCHA service someone else's website uses.