Home » Blogs » dan's blog

How I enabled Flash to load content from an off-webroot crossdomain.xml file

Submitted by Dan Wilson on Thu, 2008/01/24 - 6:10pm
  • Delicious
  • Digg
  • StumbleUpon
  • Reddit
  • Technorati
Tags:

Bruce Phillips (You should check out his interesting Flex posts) let me know that my Surfing Stats data didn't load when the swf was located off my http://www.nodans.com domain. I want others to take the code and do with it as they please so I need to make the data available across domains. This is done through the use of a crossdomain.xml file. The file I used looks like this: 

<?xml version="1.0"?>
<cross-domain-policy>
  <allow-access-from domain="*" />
</cross-domain-policy>

This is a very promiscuous file. It allows anyone anywhere to load any data in the containing directory and all subdirectories. Such a promiscuous file also opens up security vectors. In the words of Lucas Adamski on DevNet:

As an example, a user is logged in to an e-commerce site that uses cookies for authentication. On the site is a user account settings page where you can see information such as your mailing address and other personally identifiable information. If this site has an overly permissive cross-domain policy file like *, a SWF file that is hosted on another domain could silently load the account settings data and send it elsewhere. This is because the browser appends the cookies for the e-commerce site to the request from Flash Player.

By default, the SWF looks for the crossdomain.xml file in the root of the website but with a little code, you can put it anywhere you please. I used this command to tell the SWF where to find the crossdomain.xml file: 

Security.loadPolicyFile("http://www.nodans.com/custom/surfingstats/crossdomain.xml");

Now, only the directory containing SurfingStats is enabled, reducing the surface area of attack. If you want to read more on the security issues with crossdomain.xml files, check out these links:
Poking new holes with Flash Crossdomain Policy Files
Cross-domain policy file usage recommendations for Flash Player
The Dangers of Cross-Domain Ajax with Flash

Original content at Dan Wilson's Blog

Dan Wilson, principal partner of DataCurl LLC, began his IT career at a fast-paced start-up during the dotcom heyday. He has since then held senior program and development positions in Technical Consulting, Health Care, Online Publishing and Government Contracting. Dan is an avid participant in technology communities; currently serving on the board for the Triangle ColdFusion User Group in Research Triangle Park, North Carolina. Dan is a DZone MVB and is not an employee of DZone and has posted 27 posts at DZone. You can read more from them at their website.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)