[osflash] crossdomain security holes

Thu Oct 19 16:57:16 EDT 2006

Micha,

The best way to get around any possible crossdomain issues is the following:

    * filter everything well on the html side, just like you usually do
      for XSS-type attacks
    * if you are using html blacklisting.. you might want to scan for
      crossdomain information that might be embedded
    * If you deal with uploaded files, make sure those files are only
      accessible in a subdirectory thats not part of the same tree as
      the urls you use to perform 'actions' such as handling of new user
      information, posting comments etc etc.

The points above apply to all web applications, not just flash-enabled ones.

If you want an all-access amf gateway or other stuff accessible to flash 
do it on a separate domain (api.yourdomain.com) and don't use the same 
sessions as the html web applications.

Evert

Michael Stuhr wrote:
> Peter Elst schrieb:
>
>   
>> Is this what you were referring to Micha? know this blog post by Martijn 
>> went around a few times to explain the concept:
>>
>> http://www.martijndevisser.com/blog/article/why-crossdomainxml-is-a-good-thing
>>
>>     
> nope, it was mike chambers who said sth about that. martijns is definately good, but i 
> really understood it when mike explained this. since i do most of my job-time html+css i 
> forgot about this and now i have spent some months on coding a flash-based extranet which 
> makes use of crossdomain. i'm usure now, what i shall do.
>
> micha
>
> _______________________________________________
> osflash mailing list
> osflash at osflash.org
> http://osflash.org/mailman/listinfo/osflash_osflash.org
>
>   