So far, most of the discussion on how to let a Chumby access content on another site contain the instructions to place a "crossdomain.xml" file on the server that has a <allow-access-from domain="*.chumby.com"/> in it.  Most just say to put <allow-access-from domain="*"/> and that fixed everything.  Actually, it allows any flash player to access any content.  That means any flash player can access any web page.. and with a relatively little actionscript peal it apart.

Even with the *.chumby.com, any Chumby could still access anything on the site.

I wanted something with a little more control, so I did some digging and found some interesting information.

First.. it turns out that 'crossdomain.xml' in the root of the server is the DEFAULT place that Flash will look for permission.  But there is a way to tell Flash to look somewhere else (found this in one of the post on this site).

System.security.loadPolicyFile() allows you to specify the URL where the XML file is kept.  Which means that at least I can bury the policy file deeper in my server structure.  That was a help.  Then I noticed that the documentation says it is a URL to a location which returns an XML file.  Which means that it can actually point to a PHP script (or Ruby or Perl if you want).  The Flash player makes a standard HTTP request to the server, so not only can it be a PHP script, but you can pass parameters the same way you would with a GET request.

SO.. now we have some intelligence to work with.. not just a simple static XML file.
_root['_chumby_chumby_name'] and _root['_chumby_user_name'] contain the name of the Chumby and the user name.  With PHP I can get the IP address, so I can even get some idea where the Chumby is located, and I can get the URL request, so I can see where in the directory structure the Chumby is trying to ask for permission to.

Flash won't handle sessions ~:-(, but with some relatively straight forward programming, I can collect the permission request and use that in other pieces of code to see if this Chumby has been given permission, and do some tracking.

Certainly this isn't hack proof code.  But it does provide some method to open the door 'a little'.

I put together a "proof concept" widget and some simple PHP code if somebody is interested.