[osflash] crossdomain security holes
Peter Elst
peter.elst at telenet.be
Fri Oct 20 15:31:12 EDT 2006
Hi guys,
Sorry for the dumb questions, haven't had a chance to read that
crossdomain article in detail yet. How exactly does it pose a security
risk, in my understanding any server side code can do what what Flash
does without any sandbox restrictions or am I wrong?
I've always assumed crossdomain policy files aren't an impenetrable
fortress but does it open any additional security risks over any other
technologies?
Thanks!
Peter
Geoff Stearns wrote:
> the real lesson to learn here is simple:
>
> never create a crossdomain.xml that allows any site to connect to
> yours. no asterisks!
>
> if you absolutely have to do it, put it on a separate domain that
> can't be used to access other normal site operations.
>
More information about the osflash
mailing list