hi

In site B (WWW.BBB.COM/mypage.html) I have embed into html page an swf from another site url (http://WWW.AAA.COM/test.swf).

From site B I'm able to request all function in swf on www.aaa.com site.

cross domain policy don't works with html emebed tag .

this is an online example :

http://www.amiamo.info/flex/test.html

how can protect swf on www.aaa.com ?

thanks

Remove your http://www.amiamo.* domain from
www.music4you.it/crossdomain.xml

my crossdomain is :
<allow-access-from domain="*.amiamo.it"/>
<allow-access-from domain="www.amiamo.it"/>

the example page is on www.amiamo.info no on www.amiamo.it

I put it on another domain that is not on crossdomain list.

http://www.infoamica.com/flex/test.html

the result is the same .

Is the SWF you're loading a flex module / flex application (i.e. does it have a generated system manager class)? Because if it is so... then, I'm afraid it won't be possible... I'm sorry, I cannot post this info openly, but if you want, PM me, I'll explain...
Or... you know what... try to not use signed RSLs for the SWF you're trying to load (given it is a module / application), I'm not sure it will help, but there's a chance...

EDIT: Scratch that :) I haven't looked at how you load the SWF. OK, then there is the way to prevent it.
See, you're loading the SWF from the location that is allowed
http://www.music4you.it/prova/cms/SQLite_test1.swf.
So the crossdomain permit's it to communicate with any other SWF that comes from www.music4you.it (which is the module you load).
So, what you can do:
A better way - check on your server the referrer parameter of the request (usually it'd have an IP of the page / script that is requesting to get your SWF) If it's not one of the IPs used by your server, then don't let that IP download your SWF. The bad side of it, the referrer parameter of the requested may be faked... So, it is possible to pretend that the request for the SWF is coming from your server even though it's not. But if that must be protected, you may do something like this: Have a page that will require authentication, which is not connected to your SWF, once the authentication passed save that session, and only if the visitor requesting your SWF has the same SID let him download your SWF.

A more simple solution would be to grab the location of HTML page containing your SWF via ExternalInterface, if it's not your page (somebody is trying to hotlink your SWF) then perform some sort of self-destruction or whatever other malicious act you may think of to not to let the unauthorized access. The container page may try to prevent SWF from being able to contact JS in the page (thus preventing it from discovering the location of the page), in such case you should do the same as if the location wasn't the one you expected (but you'll have to permit crosscripting in your original page in order to make it work).
Also it is possible to hotlink not the SWF, but the entire HTML page containing your SWF by putting it into <iframe> / <frameset>, in which case you'd need to traverse the DOM of the HTML page containing your SWF and make sure you're not in the iframe / frameset.

thanks wvxvw :)

I'll try to use externaInterface or a simple .htaccess on apache server to filter the hotlink.