4

I'm having difficulty in figuring out why crossdomain.xml is a useful feature. It seems back to front to me. Why restrict flash (by default) from reading from publicly available services?

What's the point to prevent DDOS attacks from people downloading malicious flash software.

It doesn't seem to protect the flash users at all only third party websites, especially as that's circumventable with a proxy it seems to render the whole thing pointless.

Wes
  • 6,697
  • 6
  • 34
  • 59

3 Answers3

2

Flash files execute on the users machine in a trusted environment. Without crossdomain files a swf could take a guess at internal services, anything behind a firewall, that the user has access to but a SWF should not. This is a major security risk. While there are other reasons for the policy this is by far the most important reason. So you are correct it is annoying that it is needed to access public api's but its better than it accessing private api's, imagine corporate directory services, just because the content is running on your machine.

Greg
  • 600
  • 2
  • 5
  • So your saying if I get this correct the problem is when the flash file tries to retrieve something from localhost, assuming the user has a http server on localhost (127.0.0.x) whatever. Seems like a very minority use case to me. – Wes Nov 28 '10 at 19:15
  • There is more than just localhost accessible from your machine. Imagine being behind a firewall at a corporation that has a directory of employees, etc. – Greg Nov 28 '10 at 19:33
  • your right of course. Can you edit your answer to include that information in a clearer way? and I'll accept it. – Wes Nov 28 '10 at 19:53
2

Crossdomain policy files can expose protected data from internal servers and servers which require authentication. More details:
http://www.jamesward.com/2009/11/08/how-bad-crossdomain-policies-expose-protected-data-to-malicious-applications/

James Ward
  • 29,283
  • 9
  • 49
  • 85
  • James great write up at your website. However I think your answer and Greg's answer are equivalent and he was certainly first. So I'm going to accept his answer. Sorry. – Wes Nov 28 '10 at 19:58
-1

I've only just thought of this. Honestly it wasn't in my head when I began asking the question.

It may be to protect the developer of a flash file. Assuming someone didn't have the technical know how to decompile a flash file, and its data requests where hard coded. Lifting that flash file of the public webserver and placing on your own web server effectively renders that flash ineffective.

If that is the case all requests made by a flash file should use the fully qualified requests. I.e. not relative requests.

Dunno if that's what they were thinking or not.

Wes
  • 6,697
  • 6
  • 34
  • 59