This content has been marked as final. Show 4 replies
My understanding of this is that the crossdomain.xml file simply identifies which domains incoming requests are allowed from.
This doesn't give anyone any more control over your server than they currently have, it just stops flash player from accessing your server when it isn't in the list of authorised domains.
robots.txt is more dangerous to a website owner due to the fact that it can provide information about the underlying site.
crossdomain.xml doesn't contain any information about the site or server, just which domains are allowed access to the webserver.
The security implications are mostly due to your PHP coding in the back-end.. If you do not check to make sure that this flash user is allowed before giving data to it then you can cause a security hole.. But thats your problem, not flashs'..
Basically nothing new can be done with flash with regard to security. It all can be just as easily done using off-the-shelf tools like "Firebug" for the firefox browser, or "nettools" which is a java based HTTP test *fraud* tool..
After reading my post - crossdomain.xml *may* provide information about the other servers in your network, if you explictly define them..
The way I understand the main security risk is this:
I'm looking for a way around this and I think the sub-domain thing is the way to go. I'd just like to hear from someone who's actually done it.
You can use FDS where proxy-cofig.xml will handle this thing .
you don't need to worry about crossdomain.xml.