Is there any security problem in hosting a crossdomain.xml in our servers?

Tag: flash Author: yjx5256826 Date: 2009-08-09

It was asked to us to host a crossdomain.xml file in our servers in order to access some XML files we have developed. The content of this file is:

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
</cross-domain-policy>

Is it OK?

Other Answer1

Well that lets any flash app from any port load XML data from your domain.

That being said, you do need to set a bunch of other data in order for it to be a valid cross-domain policy file (there were new required elements added with FP9)

Here's the full spec for cross-domain policies: http://www.adobe.com/devnet/articles/crossdomain%5Fpolicy%5Ffile%5Fspec.html

You can find all of the most recent security recommendations for cross-domain policy files (and everything else concerning the Flash Player) here: http://www.adobe.com/devnet/flashplayer/articles/flash%5Fplayer10%5Fsecurity%5Fwp.html

Other Answer2

This will allow flash content hosted from anywhere to load data directly into a client from your services, and can have significant security implications, depending on your authentication model and setup.