Our scenario is this:
We use Business Objects to build reports in Xcelsius - because of this, we dont have access to set the Security.allowDomain() (at least we have not found a way). The business objects server is access via hostA.subdomainX.domainY.com (This is actually a server on a different domain, but we have created a CNAME for hostA.subdomainX.domainY.com which points points to the real "hidden" domain).
We are trying to pull these SWF's into HTML that lives within a portal (Liferay) on a different host, but same domain and subdomain -> hostB.subdomainX.domainY.com. These HTML pages interact with those SWF's through EIC and everything works great if I physically deploy them with the HTML files on hostB.subdomainX.domainY.com, as soon as we try to pull them from hostA.subdomainX.domainY.com, the EIC interaction fails silently producing no errors.
We have read through this article several times over:
And we are focusing on the line that reads:
allowDomain() needed: Yes, if domains don't match exactly (For flashplayer 8 or newer)
Does this refer to the actual URL visible to the browser? In our situation the domains do match, the subdomains match, but the hosts do not, is that still against policy?
The player compares the entire domain portion of the ULR, so
hostA.subdomainX.domainY.com does not match hostB.subdomainX.domainY.com