On Wed, Feb 11, 2009 at 10:14 AM, Adam Barth <w3c@adambarth.com> wrote: > Adobe found the security case compelling enough to break backwards > compatibility in their crossdomain.xml policy file system to enforce > this requirement. Most serious Web sites opt-in to requiring an > explicit Content-Type. By the way, here's the chart of the various security protections Adobe added to crossdomain.xml and which version they first appeared in: http://www.adobe.com/devnet/flashplayer/articles/fplayer9-10_security.html There is another one I forgot: You need to restrict the scope of a host-meta file to a specific IP address. For example, if suppose you retrieve http://example.com/host-meta from 123.123.123.123. Now, you shouldn't apply the information you get from that host-meta file to content retrieved from 34.34.34.34. You need to fetch another host-meta file from that IP address. If you don't do that, the host-meta file will be vulnerable to DNS Rebinding. For an explanation of how this caused problems for crossdomain.xml, see: http://www.adambarth.com/papers/2007/jackson-barth-bortz-shao-boneh.pdf Sadly, this makes life much more complicated for implementers. (Maybe now you begin to see why this draft scares me.) AdamReceived on Wednesday, 11 February 2009 18:27:19 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:38:52 GMT