crossdomain.xml whats the point?
https://stackoverflow.com/questions/4298375
-
29-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm having difficulty in figuring out why crossdomain.xml is a useful feature. It seems back to front to me. Why restrict flash (by default) from reading from publicly available services?
What's the point to prevent DDOS attacks from people downloading malicious flash software.
It doesn't seem to protect the flash users at all only third party websites, especially as that's circumventable with a proxy it seems to render the whole thing pointless.
Solution
Flash files execute on the users machine in a trusted environment. Without crossdomain files a swf could take a guess at internal services, anything behind a firewall, that the user has access to but a SWF should not. This is a major security risk. While there are other reasons for the policy this is by far the most important reason. So you are correct it is annoying that it is needed to access public api's but its better than it accessing private api's, imagine corporate directory services, just because the content is running on your machine.
OTHER TIPS
Crossdomain policy files can expose protected data from internal servers and servers which require authentication. More details:
http://www.jamesward.com/2009/11/08/how-bad-crossdomain-policies-expose-protected-data-to-malicious-applications/
I've only just thought of this. Honestly it wasn't in my head when I began asking the question.
It may be to protect the developer of a flash file. Assuming someone didn't have the technical know how to decompile a flash file, and its data requests where hard coded. Lifting that flash file of the public webserver and placing on your own web server effectively renders that flash ineffective.
If that is the case all requests made by a flash file should use the fully qualified requests. I.e. not relative requests.
Dunno if that's what they were thinking or not.
