I'm trying to get my head around the security implications of open (ie. allow all) crossdomain.xml files. Basically I understand that issues arise when there is an open crossdomain.xml file on a domain that uses cookie or password based authentication as the SWF can read/forge the cookie info that is sent in the HTTP header. This allows cross-site forgeries and other unintended consequences. My main concern is with server security though. What are the implications as far as compromising the security of the server aside from forgeries and spoofing?
If I understand correctly, a lot of the risk can be mitigated by hosting the crossdomain.xml file on a separate sub-domain from the domain with the user authentication mechanism. Is this as simple as setting up an Apache virtual host for a sub-domain which hosts a simple PHP script that forwards requests to the the domain which contains the data source? What I'd like to do is create a simple Flex application that can be distributed to any (ie. untrusted) source that reads data from my web server through AMF or an XML Socket, most likely using AMFPHP. How have others got around this problem? Can you provide me with a brief explanation of your solution. Cheers, Darren. If you don't understand what I mean by the security implications, these refs might help: http://shiflett.org/blog/2006/sep/the-dangers-of-cross-domain-ajax-with-flash http://renaun.com/blog/2006/12/13/167/ http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html
