Is there any security problem in hosting a crossdomain.xml in our servers?

Tag: flash Author: yjx5256826 Date: 2009-08-09

It was asked to us to host a crossdomain.xml file in our servers in order to access some XML files we have developed. The content of this file is:

<allow-access-from domain="*" to-ports="*"/>

Is it OK?

Other Answer1

Well that lets any flash app from any port load XML data from your domain.

That being said, you do need to set a bunch of other data in order for it to be a valid cross-domain policy file (there were new required elements added with FP9)

Here's the full spec for cross-domain policies:

You can find all of the most recent security recommendations for cross-domain policy files (and everything else concerning the Flash Player) here:

Other Answer2

This will allow flash content hosted from anywhere to load data directly into a client from your services, and can have significant security implications, depending on your authentication model and setup.