Flex and crossdomain.xml

apache-flex security crossdomain.xml
26,630

Solution 1

By adding the crossdomain.xml, the main security concern is that flash applications can now connect to your server. So if someone logs into your site, and then browses over to another website with a malicious flash app, that flash app can connect back to your site. Since it's in a browser, cookies are shared to the flash app. This allows the flash app to hijack the user's session to do whatever it is your website does without the user knowing about it.

If your flex app is served from the same server, you don't need a crossdomain.xml

You can put it in a sub directory of your site and use System.security.loadSecurityPolicy()

http://livedocs.adobe.com/flex/2/langref/flash/system/Security.html

Applications would then be limited to that tree of your directory structure.

Solution 2

There are no workaround for the crossdomain file, it is required to support the crossdomain data access or crossdomain scripting. In the event of any cross-domain request, Flash will look for the crossdomain.xml file at the root of the domain. For example, if you are requesting an XML file from:

http://mysubdomain.mydomain.com/fu/bar/

Flash will check if a crossdomain.xml file exist at:

http://mysubdomin.mydomain.com/crossdomain.xml

You can place the crossdomain.xml file in other location. However, when you ever need to load a crossdomain.xml file from a different location, you have to do it via Security.loadPolicyFile . Bear in mind that the location of this crossdomain have any impact on the security access you have. Flash will only grant access to the folder that contains the crossdomain and its child folders.

You may also want to read up on the security changes in Flash Player 10.

Share:
26,630
klye_g
Author by

klye_g

Updated on October 14, 2020

Comments

  • klye_g
    klye_g over 3 years

    I was wondering are there any security concerns with adding crossdomain.xml to the root of an application server? Can it be added to any other parts of the server and are you aware of any work arounds that dont require the server to have this file in place?

    Thanks Damien

  • klye_g
    klye_g almost 16 years
    Hi Marc Thanks for your comments. This sort of thing is worrying. Do you know if adobe are working on this or coming up with any more security features to fix this potential threat? Thanks Damien
  • James Aguilar
    James Aguilar almost 16 years
    This is a "potential" threat by design, sometimes you need to be able to do crossdomain communication, that's why you need to explicitly allow connections using this file.
  • SkippyFlipjack
    SkippyFlipjack over 14 years
    I don't quite understand this risk. If you put an "allow everything" crossdomain.xml at the root of your server, doesn't that just give Flash apps the same access as browsers already have? Javascript on a web page at xxx.com can't see cookies at yyy.com because the browser and Javascript security won't allow it. Can a flash file at xxx.com really access cookies at yyy.com (if yyy.com's crossdomain.xml is set to allow everything)?
  • Anon
    Anon over 14 years
    Damo - Crossdomain.xml IS the fix to the potential threat. Don't put one up if you don't want applications from other domains to hit your server.
  • Anon
    Anon over 14 years
    Skippy - Lets say BANK.COM has a page that lets you transfer money between accounts. Lets say it has an open crossdomain.xml file. Now, lets say user BOB logs into BANK.COM as usual. Next, BOB leaves BANK.COM and goes to EVIL.COM. On EVIL.COM is a malicious flash app. That app can make a request to BANK.COM. That request will come from the browser just like any other request. That means the app could silently hit that transfer-page. BANK.COM would see the user as already logged in because the request came from a browser that had correctly authenticated, and happily allow it to proceed.
  • Erlend
    Erlend over 14 years
    Marc's comment is to the point. You should not have an unrestricted crossdomain.xml unless all your data is public. Recent blog post on this topic: erlend.oftedal.no/blog/?blogid=101
  • Brian
    Brian about 10 years
    This isn't strictly true; the workaround for the crossdomain file is to proxy all network traffic through the same server hosting your Flash application.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

flex load policy file crossdomain.xml
Why is Flash demanding a crossdomain.xml file when the .swf and http target are both on localhost?
How to manage OAuth flow in mobile application with server
Are compile-time variables secure in flutter?
Why is it bad practice to use an FCM Server Key on a Flutter/Android client?
How to protect Flutter app from reverse engineering
GDPR and personal data
Securely Saving API Keys In Android (flutter) Apps
How can I prevent backup for user data in flutter for iOS app?
Flutter/Dart security scans