Visit Sponsor

Written by 8:13 am AIR, Flex, Server Configuration

Flash Security with Off-Root CrossDomain.xml files

Bruce Phillips (You should check out his interesting Flex posts) let me know that my Surfing Stats data didn’t load when the swf was located off my http://www.nodans.com domain. I want others to take the code and do with it as they please so I need to make the data available across domains. This is done through the use of a crossdomain.xml file. The file I used looks like this:






This is a very promiscuous file. It allows anyone anywhere to load any data in the containing directory and all subdirectories. Such a promiscuous file also opens up security vectors. In the words of Lucas Adamski on DevNet:


As an example, a user is logged in to an e-commerce site that uses cookies for authentication. On the site is a user account settings page where you can see information such as your mailing address and other personally identifiable information. If this site has an overly permissive cross-domain policy file like *, a SWF file that is hosted on another domain could silently load the account settings data and send it elsewhere. This is because the browser appends the cookies for the e-commerce site to the request from Flash Player.

By default, the SWF looks for the crossdomain.xml file in the root of the website but with a little code, you can put it anywhere you please. I used this command to tell the SWF where to find the crossdomain.xml file:


Security.loadPolicyFile("http://www.nodans.com/custom/surfingstats/crossdomain.xml");

Now, only the directory containing SurfingStats is enabled, reducing the surface area of attack. If you want to read more on the security issues with crossdomain.xml files, check out these links:

Poking new holes with Flash Crossdomain Policy Files

Cross-domain policy file usage recommendations for Flash Player

The Dangers of Cross-Domain Ajax with Flash

Visited 15,721 times, 1 visit(s) today
[mc4wp_form id="5878"]
Close