Flash’s crossdomain.xml Dangers

Get the WebProNews Newsletter:

[ Social Media]

PHP security guru Chris Shiflett has a great post about the dangers of Cross Domain Flash.

If you have implemented a crossdomain.xml file you will want to read his post.

If you have a crossdomain.xml file on your domain, and you allow access from ALL domains, then you are essentially opening that domain up to Cross Site Request Forgery attacks.

Chris found that flickr had a crossdomain.xml file setup to allow flash applications to be built using the Flickr API.

The problem is that you can write a flash application that would allow almost any action a logged in flickr user could perform.

Flickr has fixed the problem by moving the API endpoint, and crossdomain.xml to api.flickr.com, instead of running under something like flickr.com/api.

Now a flash application can’t make calls to flickr.com from another domain.

The moral of the story is to make sure that your API runs on a different domain from your public web site if you are going to implement a crossdomain.xml file.


Related Entries

*Originally published at Pete Freitag’s HomePage

Pete Freitag (http://www.petefreitag.com/) is a software engineer, and
web developer located in central new york. Pete specializes in the
HTTP protocol, web services, xml, java, and coldfusion. In 2003 Pete
published the ColdFusion MX Developers Cookbook with SAMs Publishing.

Pete owns a Firm called Foundeo (http://foundeo.com/) that specializes
in Web Consulting, and Products for Web Developers.

Flash’s crossdomain.xml Dangers
Comments Off
Top Rated White Papers and Resources

Comments are closed.

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom