I've got a crossdomain.xml file which allows SWFs running on only a certain few domains to download resources from my domain. However, one simple way around this is for a user to download the SWF to their local machine, and run it there (i.e. by double-clicking on it within Windows Explorer, not by running through http://localhost). It seems that when this happens, the crossdomain.xml file is ignored.

I understand that in my actionscript, I can do this:

if (Security.sandboxType.indexOf(Security.REMOTE) == -1) 
// running locally - don't allow

However it is incredibly easy for someone to decompile the SWF and simply remove this line.

Is it possible to do something on the server side to stop a locally running SWF to download from my site? I tried checking the referrer but this field often isn't populated. Does anyone have any other ideas?

Thanks, Matt