Geek Answers Handbook

Flex and crossdomain.xml

I was wondering if there are security issues when adding crossdomain.xml to the root of the application server? Can it be added to any other parts of the server, and do you know of any problems that do not require the server to have this file in place?

Thanks Damien

+7
security flex
source share
5 answers

By adding crossdomain.xml, the main security issue is that flash applications can now connect to your server. Therefore, if someone logs into your site and then goes to another site using a malicious flash application, this flash application will be able to connect to your site. Since it is in the browser, cookies are divided into a flash application. This allows the flash application to capture the user session in order to do what your site does, without the user having to know about it.

If your flex application is running from the same server, you do not need crossdomain.xml

You can put it in a subdirectory of your site and use System.security.loadSecurityPolicy ()

http://livedocs.adobe.com/flex/2/langref/flash/system/Security.html

Applications will then be limited to this tree of your directory structure.

+10
source share

There is no workaround for the crossdomain file; it is necessary to support access to crossdomain data or cross-domain scripting. For any cross-domain request, Flash will look for the crossdomain.xml file in the root of the domain. For example, if you request an XML file:

http://mysubdomain.mydomain.com/fu/bar/

Flash checks for the presence of a crossdomain.xml file at:

http://mysubdomin.mydomain.com/crossdomain.xml

You can put the crossdomain.xml file in another place. However, when you ever need to download crossdomain.xml from another location, you need to do this through Security.loadPolicyFile . Keep in mind that the location of this cross-domain has any effect on the security access that you have. Flash will provide access only to the folder containing the cross-domain and its child folders.

You can also read about security changes in Flash Player 10 .

+1
source share

You can configure a virtual host for your application. Thus, the crossdomain.xml file may be located in the root of your application, but not necessarily in the root directory of the server.

0
source share

Yes. Be very careful with crossdomain policy files:
http://www.jamesward.com/2009/11/08/how-bad-crossdomain-policies-expose-protected-data-to-malicious-applications/

My two general rules:

  • Do not put a crossdomain policy file on a server that uses cookies
  • Do not put crossdomain policy file on internal server
0
source share

crossdomain.xml is just a file that matters to the Flash runtime; You can restrict access to HTTP requests. You can use the web server configuration control element (for example, Apache) to allow access to it (and only to it) to access it from the root directory (see Previous answers).

You can filter other headers in the request, etc.

Greetings

-one
source share

More articles:


All Articles