What is secure false in crossdomain.xml used for?
https://stackoverflow.com/questions/11822328
-
24-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We are uploading files from an HTTP uri scheme to our S3. This means, our uploader script is in our server. We sign the forms accordingly with S3. Our crossdomain.xml file looks like:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
Should I have secure="false" in allow-access-from? For example:
<allow-access-from domain="*" secure="false" />
What are the implications of having secure="false"? I've read this and this, but don't quite understand it properly.
Second, should domain=* be an actual domain? i.e. our domain name? So http://foobar.com and http://www.foobar.com?
Solution
if you have secure="true" only requests from HTTPS will be allowed, secure="false" mean requests from both HTTP and HTTPS are allowed.
EDIT: it only applies if you are running HTTPS website. E.g. if http://website1.com requests for a resource from website https://website2.com, which has a secure="true" in the crossdomain.XML, then the resource will be denied. However if website 2 is running on HTTP and not HTTPS, then it doesn't matter and both HTTP and HTTPS will be permitted, no matter what the secure setting in crossdomain.xml says.
http://www.senocular.com/pub/adobe/crossdomain/policyfiles.html#allow-access-from-secure
