Flash Security with Off-Root CrossDomain.xml files

Bruce Phillips (You should check out his interesting Flex posts) let me know that my Surfing Stats data didn't load when the swf was located off my http://www.nodans.com domain. I want others to take the code and do with it as they please so I need to make the data available across domains. This is done through the use of a crossdomain.xml file. The file I used looks like this:

view plain print about
1<?xml version="1.0"?>
3 <allow-access-from domain="*" />

This is a very promiscuous file. It allows anyone anywhere to load any data in the containing directory and all subdirectories. Such a promiscuous file also opens up security vectors. In the words of Lucas Adamski on DevNet:

As an example, a user is logged in to an e-commerce site that uses cookies for authentication. On the site is a user account settings page where you can see information such as your mailing address and other personally identifiable information. If this site has an overly permissive cross-domain policy file like *, a SWF file that is hosted on another domain could silently load the account settings data and send it elsewhere. This is because the browser appends the cookies for the e-commerce site to the request from Flash Player.

By default, the SWF looks for the crossdomain.xml file in the root of the website but with a little code, you can put it anywhere you please. I used this command to tell the SWF where to find the crossdomain.xml file:

view plain print about

Now, only the directory containing SurfingStats is enabled, reducing the surface area of attack. If you want to read more on the security issues with crossdomain.xml files, check out these links:
Poking new holes with Flash Crossdomain Policy Files
Cross-domain policy file usage recommendations for Flash Player
The Dangers of Cross-Domain Ajax with Flash

There are no comments for this entry.

Add Comment Subscribe to Comments

1/4/08 11:41 AM # Posted By TJ Downes

Excellent post Dan. Thanks, and thanks for Surfing Stats!

6/3/08 9:26 AM # Posted By Phillip Molaro

Dan, I am just adding a crossdomain for an AIR project. I understand crossdomain in general, where I tell domainA.com to allow calls from DomainB.com. But if DomainB is my AIR app, then what's the "domain" value?? I would prefer NOT to allow all, but I'm not sure how to restrict it for AIR apps coming from different locations. "Help me, Obi Wan Kenobi..."