What is the purpose of Flash's crossdomain.xml protection?

If you want to use content on another server, that server needs to host a crossdomain.xml file allowing access. If this file isn't there, flash won't let you access it. Given that it's easy enough to just write a proxy (say a php script that curls the external URLs) what is the purpose of this restriction? It seems that the content is still 100% available to external people, but there is just one extra hoop to jump through. What am i missing?

Answers


If Flash just did the request flat out without asking for permission first it would be possible to do what is called Cross site request forgery.

It basically means that since the request is coming from your computer, it will come with your cookies. So by accessing a known url, say gmail, I could pretend to be you. And since it's all well hidden within a .swf you'd never know what happened.

However, if the request goes through a proxy on another server (normally the same server that is hosting the swf) none of those cookies will be present and everything is nice and safe.


crossdomain.xml was introduced to prevent attacks such as Cross-site request forgery and also DNS rebinding attack.


Need Your Help

How to change the present view controller?

iphone ios navigation storyboard presentmodalviewcontrolle

I have a login view controller which make a request to the server for authentification. Once it is success, I want the present view controller to be the home tab view controller of my application....

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.