Flex and crossdomain.xml?

By adding the crossdomain. Xml, the main security concern is that flash applications can now connect to your server. So if someone logs into your site, and then browses over to another website with a malicious flash app, that flash app can connect back to your site.

Since it's in a browser, cookies are shared to the flash app. This allows the flash app to hijack the user's session to do whatever it is your website does without the user knowing about it If your flex app is served from the same server, you don't need a crossdomain. Xml You can put it in a sub directory of your site and use System.security.

LoadSecurityPolicy() livedocs.adobe.com/flex/2/langref/flash/... Applications would then be limited to that tree of your directory structure.

By adding the crossdomain. Xml, the main security concern is that flash applications can now connect to your server. So if someone logs into your site, and then browses over to another website with a malicious flash app, that flash app can connect back to your site.

Since it's in a browser, cookies are shared to the flash app. This allows the flash app to hijack the user's session to do whatever it is your website does without the user knowing about it. If your flex app is served from the same server, you don't need a crossdomain.

Xml You can put it in a sub directory of your site and use System.security. LoadSecurityPolicy() livedocs.adobe.com/flex/2/langref/flash/... Applications would then be limited to that tree of your directory structure.

Marc Thanks for your comments. This sort of thing is worrying. Do you know if adobe are working on this or coming up with any more security features to fix this potential threat?

Thanks Damien – Damo Sep 19 '08 at 13:08 1 This is a "potential" threat by design, sometimes you need to be able to do crossdomain communication, that's why you need to explicitly allow connections using this file. – grapefrukt Sep 19 '08 at 20:38 I don't quite understand this risk. If you put an "allow everything" crossdomain.

Xml at the root of your server, doesn't that just give Flash apps the same access as browsers already have? Javascript on a web page at xxx. Com can't see cookies at yyy.Com because the browser and Javascript security won't allow it.

Can a flash file at xxx. Com really access cookies at yyy.Com (if yyy. Com's crossdomain.

Xml is set to allow everything)? – SkippyFlipjack Oct 7 '09 at 19:50 Damo - Crossdomain. Xml IS the fix to the potential threat.

Don't put one up if you don't want applications from other domains to hit your server. – Marc Hughes Nov 12 '09 at 18:31 4 Skippy - Lets say BANK. COM has a page that lets you transfer money between accounts.

Lets say it has an open crossdomain. Xml file. Now, lets say user BOB logs into BANK.

COM as usual. Next, BOB leaves BANK. COM and goes to EVIL.COM.

On EVIL.COM is a malicious flash app. That app can make a request to BANK.COM. That request will come from the browser just like any other request.

That means the app could silently hit that transfer-page. BANK. COM would see the user as already logged in because the request came from a browser that had correctly authenticated, and happily allow it to proceed.

– Marc Hughes Nov 12 '09 at 18:33.

There are no workaround for the crossdomain file, it is required to support the crossdomain data access or crossdomain scripting. In the event of any cross-domain request, Flash will look for the crossdomain. Xml file at the root of the domain.

For example, if you are requesting an XML file from: mysubdomain.mydomain.com/fu/bar/ Flash will check if a crossdomain. Xml file exist at: mysubdomin.mydomain.com/crossdomain.xml You can place the crossdomain. Xml file in other location.

However, when you ever need to load a crossdomain. Xml file from a different location, you have to do it via Security. LoadPolicyFile .

Bear in mind that the location of this crossdomain have any impact on the security access you have. Flash will only grant access to the folder that contains the crossdomain and its child folders. You may also want to read up on the security changes in Flash Player 10.

You may configure a virtual host for your application. This way the file crossdomain. Xml can be at the root of your application but not necessarily at the root of the server.

Yes. Be very careful with crossdomain policy files: jamesward.com/2009/11/08/how-bad-crossdo... My two general rules of thumb are: Do not put a crossdomain policy file on a server that uses cookies Do not put a crossdomain policy file on an internal server.

Crossdomain. Xml is just a file that has meaning to the Flash runtime; you can restrict what HTTP requests get to see it. You can use web server (e.g. Apache) configuration control to allow read access to it (and only it) from the "root" directory (see previous answers).

You might filter by other headers in the request, etc. Cheers.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.