Re: [flexcoders] crossdomain.xml... real or not-so-real security?
> If that same evil person can get to your hosts file, that's the fault of the OS and not Flash. Yup! Machine is already compromised and that guy can do lots of other things :) -abdul On 10/27/07, Alex Harui <[EMAIL PROTECTED]> wrote: > >That's right. The goal of crossdomain.xml is to limit what an evil > person can do in a SWF served over the web so that the unsuspecting Web > citizen isn't burned. It does not block access to the contents from someone > who has the desire to see the content on their machine. If that same evil > person can get to your hosts file, that's the fault of the OS and not Flash. > > > -- > > *From:* flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] *On > Behalf Of *Abdul Qabiz > *Sent:* Friday, October 26, 2007 1:40 PM > *To:* flexcoders@yahoogroups.com > *Subject:* Re: [flexcoders] crossdomain.xml... real or not-so-real > security? > > > > Isn't it like running a standalone SWF which can access network and local > data (provided u have right trust config)? Why to run a internal server and > create host entry? SWF in AIR/Standalone can access data from foo.com. > > Can you put (give an example) this use-case in context of internet > (public)? > > -abdul > > On 10/26/07, *geoffreymina* < [EMAIL PROTECTED]> wrote: > > Say there is a site which has a crossdomain.xml defined: > > http://www.foo.com/crossdomain.xml > > with > > > > If I were to load an SWF file on my internal webserver and create a > local host file which contained an entry for fake.foo.com could I then > load the SWF file from fake.foo.com and access data on www.foo.com? > > If this is the case, then it seems to me that crossdomain.xml is really > just something to make people feel warm and fuzzy... and not at all a > real security measure. > > Thanks, > Geoff > > > > > -- > -abdul > --- > http://abdulqabiz.com/blog/ > --- > > > -- -abdul --- http://abdulqabiz.com/blog/ ---
RE: [flexcoders] crossdomain.xml... real or not-so-real security?
That's right. The goal of crossdomain.xml is to limit what an evil person can do in a SWF served over the web so that the unsuspecting Web citizen isn't burned. It does not block access to the contents from someone who has the desire to see the content on their machine. If that same evil person can get to your hosts file, that's the fault of the OS and not Flash. From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Abdul Qabiz Sent: Friday, October 26, 2007 1:40 PM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] crossdomain.xml... real or not-so-real security? Isn't it like running a standalone SWF which can access network and local data (provided u have right trust config)? Why to run a internal server and create host entry? SWF in AIR/Standalone can access data from foo.com. Can you put (give an example) this use-case in context of internet (public)? -abdul On 10/26/07, geoffreymina < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Say there is a site which has a crossdomain.xml defined: http://www.foo.com/crossdomain.xml <http://www.foo.com/crossdomain.xml> with If I were to load an SWF file on my internal webserver and create a local host file which contained an entry for fake.foo.com could I then load the SWF file from fake.foo.com and access data on www.foo.com? If this is the case, then it seems to me that crossdomain.xml is really just something to make people feel warm and fuzzy... and not at all a real security measure. Thanks, Geoff -- -abdul --- http://abdulqabiz.com/blog/ <http://abdulqabiz.com/blog/> ---
Re: [flexcoders] crossdomain.xml... real or not-so-real security?
Isn't it like running a standalone SWF which can access network and local data (provided u have right trust config)? Why to run a internal server and create host entry? SWF in AIR/Standalone can access data from foo.com. Can you put (give an example) this use-case in context of internet (public)? -abdul On 10/26/07, geoffreymina <[EMAIL PROTECTED]> wrote: > > Say there is a site which has a crossdomain.xml defined: > > http://www.foo.com/crossdomain.xml > > with > > > > If I were to load an SWF file on my internal webserver and create a > local host file which contained an entry for fake.foo.com could I then > load the SWF file from fake.foo.com and access data on www.foo.com? > > If this is the case, then it seems to me that crossdomain.xml is really > just something to make people feel warm and fuzzy... and not at all a > real security measure. > > Thanks, > Geoff > > > -- -abdul --- http://abdulqabiz.com/blog/ ---
Re: [flexcoders] crossdomain.xml... real or not-so-real security?
The use case I've heard that makes sense to me that does provide security is this. Say you have a bunch of FLVs stored on your server and you let some people access those from their site. And at some point you discover that someone has been abusing that privilege and racking up huge bandwidth charges for you. So you add the cross domain and deny access to certain sites. Then you can still stream them out, but the "friend" that posted it to slashdot is no longer able to. Make sense? It's not a lot of security in my opinion, but it works. There are ways around it, like proxies, but then those people will be using the bandwidth themselves as well. On Oct 26, 2007, at 8:26 AM, geoffreymina wrote: > Say there is a site which has a crossdomain.xml defined: > > http://www.foo.com/crossdomain.xml > > with > > > > If I were to load an SWF file on my internal webserver and create a > local host file which contained an entry for fake.foo.com could I then > load the SWF file from fake.foo.com and access data on www.foo.com? > > If this is the case, then it seems to me that crossdomain.xml is > really > just something to make people feel warm and fuzzy... and not at all a > real security measure. > > Thanks, > Geoff > > > > > -- > Flexcoders Mailing List > FAQ: http://groups.yahoo.com/group/flexcoders/files/flexcodersFAQ.txt > Search Archives: http://www.mail-archive.com/flexcoders% > 40yahoogroups.com > Yahoo! Groups Links > > >
[flexcoders] crossdomain.xml... real or not-so-real security?
Say there is a site which has a crossdomain.xml defined: http://www.foo.com/crossdomain.xml with If I were to load an SWF file on my internal webserver and create a local host file which contained an entry for fake.foo.com could I then load the SWF file from fake.foo.com and access data on www.foo.com? If this is the case, then it seems to me that crossdomain.xml is really just something to make people feel warm and fuzzy... and not at all a real security measure. Thanks, Geoff
