Micha,
The best way to get around any possible crossdomain issues is the following:
* filter everything well on the html side, just like you usually do
for XSS-type attacks
* if you are using html blacklisting.. you might want to scan for
crossdomain information that might be embedded
* If you deal with uploaded files, make sure those files are only
accessible in a subdirectory thats not part of the same tree as
the urls you use to perform 'actions' such as handling of new user
information, posting comments etc etc.
The points above apply to all web applications, not just flash-enabled ones.
If you want an all-access amf gateway or other stuff accessible to flash
do it on a separate domain (api.yourdomain.com) and don't use the same
sessions as the html web applications.
Evert
Michael Stuhr wrote:
> Peter Elst schrieb:
>
>
>> Is this what you were referring to Micha? know this blog post by Martijn
>> went around a few times to explain the concept:
>>
>> http://www.martijndevisser.com/blog/article/why-crossdomainxml-is-a-good-thing
>>
>>
> nope, it was mike chambers who said sth about that. martijns is definately
> good, but i
> really understood it when mike explained this. since i do most of my job-time
> html+css i
> forgot about this and now i have spent some months on coding a flash-based
> extranet which
> makes use of crossdomain. i'm usure now, what i shall do.
>
> micha
>
> _______________________________________________
> osflash mailing list
> [email protected]
> http://osflash.org/mailman/listinfo/osflash_osflash.org
>
>
_______________________________________________
osflash mailing list
[email protected]
http://osflash.org/mailman/listinfo/osflash_osflash.org
