the real lesson to learn here is simple: never create a crossdomain.xml that allows any site to connect to yours. no asterisks!
if you absolutely have to do it, put it on a separate domain that can't be used to access other normal site operations. On Oct 19, 2006, at 4:57 PM, Evert|Rooftop wrote: > Micha, > > The best way to get around any possible crossdomain issues is the > following: > > * filter everything well on the html side, just like you > usually do > for XSS-type attacks > * if you are using html blacklisting.. you might want to scan for > crossdomain information that might be embedded > * If you deal with uploaded files, make sure those files are only > accessible in a subdirectory thats not part of the same tree as > the urls you use to perform 'actions' such as handling of new > user > information, posting comments etc etc. > > The points above apply to all web applications, not just flash- > enabled ones. > > If you want an all-access amf gateway or other stuff accessible to > flash > do it on a separate domain (api.yourdomain.com) and don't use the same > sessions as the html web applications. > > Evert > > Michael Stuhr wrote: >> Peter Elst schrieb: >> >> >>> Is this what you were referring to Micha? know this blog post by >>> Martijn >>> went around a few times to explain the concept: >>> >>> http://www.martijndevisser.com/blog/article/why-crossdomainxml-is- >>> a-good-thing >>> >>> >> nope, it was mike chambers who said sth about that. martijns is >> definately good, but i >> really understood it when mike explained this. since i do most of >> my job-time html+css i >> forgot about this and now i have spent some months on coding a >> flash-based extranet which >> makes use of crossdomain. i'm usure now, what i shall do. >> >> micha >> >> _______________________________________________ >> osflash mailing list >> [email protected] >> http://osflash.org/mailman/listinfo/osflash_osflash.org >> >> > > > _______________________________________________ > osflash mailing list > [email protected] > http://osflash.org/mailman/listinfo/osflash_osflash.org _______________________________________________ osflash mailing list [email protected] http://osflash.org/mailman/listinfo/osflash_osflash.org
