Posted By : Dan Wilson     January 4, 2008 8:13 AM

Bruce Phillips (You should check out his interesting Flex posts) let me know that my Surfing Stats data didn't load when the swf was located off my http://www.nodans.com domain. I want others to take the code and do with it as they please so I need to make the data available across domains. This is done through the use of a crossdomain.xml file. The file I used looks like this:

This is a very promiscuous file. It allows anyone anywhere to load any data in the containing directory and all subdirectories. Such a promiscuous file also opens up security vectors. In the words of Lucas Adamski on DevNet:

As an example, a user is logged in to an e-commerce site that uses cookies for authentication. On the site is a user account settings page where you can see information such as your mailing address and other personally identifiable information. If this site has an overly permissive cross-domain policy file like *, a SWF file that is hosted on another domain could silently load the account settings data and send it elsewhere. This is because the browser appends the cookies for the e-commerce site to the request from Flash Player.

By default, the SWF looks for the crossdomain.xml file in the root of the website but with a little code, you can put it anywhere you please. I used this command to tell the SWF where to find the crossdomain.xml file:

Now, only the directory containing SurfingStats is enabled, reducing the surface area of attack. If you want to read more on the security issues with crossdomain.xml files, check out these links:
Poking new holes with Flash Crossdomain Policy Files
Cross-domain policy file usage recommendations for Flash Player
The Dangers of Cross-Domain Ajax with Flash

There are no comments for this entry.

Add Comment Subscribe to Comments