Reputation: 1100
What is the purpose of Flash's crossdomain.xml protection?
If you want to use content on another server, that server needs to host a crossdomain.xml file allowing access. If this file isn't there, flash won't let you access it. Given that it's easy enough to just write a proxy (say a php script that curls the external URLs) what is the purpose of this restriction? It seems that the content is still 100% available to external people, but there is just one extra hoop to jump through. What am i missing?
Upvotes: 2
Views: 470
Answers (2)
Reputation: 4883
crossdomain.xml was introduced to prevent attacks such as Cross-site request forgery and also DNS rebinding attack.
Upvotes: 0
Reputation: 27045
If Flash just did the request flat out without asking for permission first it would be possible to do what is called Cross site request forgery.
It basically means that since the request is coming from your computer, it will come with your cookies. So by accessing a known url, say gmail, I could pretend to be you. And since it's all well hidden within a .swf you'd never know what happened.
However, if the request goes through a proxy on another server (normally the same server that is hosting the swf) none of those cookies will be present and everything is nice and safe.
Upvotes: 2
Related Questions
- Problems with cross-domain.xml files in Flash 10
- What is crossdomain.xml file?
- Using crossdomain.xml when serving a .swf from a domain that is NOT the domain of the web page it appears on
- flash: crossdomain.xml is ignored
- What policy is enforced by an "empty" crossdomain.xml?
- What does this crossdomain.xml imply?
- Flash AS3 - domain.com/crossdomain.xml and security error
- What is Security.allowDomain("*")
- Why is Flash demanding a crossdomain.xml file when the .swf and http target are both on localhost?
- crossdomain.xml whats the point?