We have a Flash application provided by a vendor. It reads its parameters from an xml file on our web server's file system. However, it can also be spoofed to read its parameters from an xml file sitting on another domain's web server. At first we thought crossdomain.xml might be able to fix this, but we've researched it and understand the purpose of crossdomain.xml. It won't solve this issue.
Are there any ways of enforcing that a Flash application reads its input file only from the same server where the Flash application was served? Or is the recommendation just to initialize variables within the Flash app, not relying on an external file.
Thanks for your help with this.
you think someone can force your swf to read an off-site xml? or, are you trying to prevent others from using your swf on their server?
Yes, the idea is that someone would force my swf to read an off-site xml input file, which would initialize some variables in my file. It was a defect detected by Whitehat, so I'm pretty sure it's plausible.
how can anyone cause your swf to read an xml file other than the one you specify in your swf?