Menu
I was wondering are there any security concerns with adding crossdomain.xml to the root of an application server? Can it be added to any other parts of the server and are you aware of any work arounds that dont require the server to have this file in place?
Thanks Damien
348
A cross-domain policy is simply a user-defined set of permitted data access rules encapsulated in a crossdomain. xml file. It is only viable on servers that communicate via HTTP, HTTPS, or FTP. A cross-domain policy file is an XML document that grants a web client permission to handle data across one or more domains.
You need a crossdomain. xml file when your Speedtest Server uses external hosts as testing servers.
You need to place the crossdomain. xml file in the root of your server, not in a subdirectory. If you need help on how to configure JBoss or your proxy to allow this, I suggest you try https://serverfault.com/ :). Save this answer.
By adding the crossdomain.xml, the main security concern is that flash applications can now connect to your server. So if someone logs into your site, and then browses over to another website with a malicious flash app, that flash app can connect back to your site. Since it's in a browser, cookies are shared to the flash app. This allows the flash app to hijack the user's session to do whatever it is your website does without the user knowing about it.
If your flex app is served from the same server, you don't need a crossdomain.xml
You can put it in a sub directory of your site and use System.security.loadSecurityPolicy()
http://livedocs.adobe.com/flex/2/langref/flash/system/Security.html
Applications would then be limited to that tree of your directory structure.
118
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
