- From: Doug Schepers <doug.schepers@vectoreal.com>
- Date: Fri, 22 Sep 2006 12:36:21 +0000
- To: Web API public <public-webapi@w3.org>
Hi, folks- I'm following up on the action to research how Adobe Flash handles cross-domain access. This is done by the use of an XML file on the target server, "crossdomain.xml". The security model is described in a PDF whitepaper [1]: "The Cross Domain Policy File mechanism is a simple XML file (crossdomain.xml) that does the following: * Modifies the read permission for data between sandboxes and across the network. It does not apply to cross-scripting of SWF files. * Is specified with a text file (served as a policy file from the site to be accessed as an ordinary web page), and is consulted by Flash Player, which then enforces the rules, rather than requiring (or allowing) a SWF file to declare or interpret the permissions. * Applies only to the protocol and port of the server, rather than opening up an entire domain, with one exception: HTTP servers can provide the policy files that govern XML socket connections. The Cross Domain Policy File is located in the root directory of the target server by default (for example, at www.applicablesite.com/crossdomain.xml), or Flash application developers can specify another location by calling the ActionScript System.security.loadPolicyFile() API." The DTD is available on the macromedia site [2], and is quite short: cross-domain-policy.dtd =========================== <?xml version="1.0" encoding="ISO-8859-1"?> <!-- Macromedia DTD for cross-domain policy files --> <!ELEMENT cross-domain-policy (allow-access-from*)> <!ELEMENT allow-access-from EMPTY> <!ATTLIST allow-access-from domain CDATA #REQUIRED> <!ATTLIST allow-access-from secure (true|false) "true"> <!-- End of file. --> =========================== A simple example might look like this: <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy> Amazon's policy [3] is a little more verbose: <cross-domain-policy> <allow-access-from domain="*.amazon.com"/> <allow-access-from domain="amazon.com"/> <allow-access-from domain="www.amazon.com"/> <allow-access-from domain="pre-prod.amazon.com"/> <allow-access-from domain="devo.amazon.com"/> <allow-access-from domain="images.amazon.com"/> <allow-access-from domain="anon.amazon.speedera.net"/> <allow-access-from domain="*.amazon.ca"/> <allow-access-from domain="*.amazon.de"/> <allow-access-from domain="*.amazon.fr"/> <allow-access-from domain="*.amazon.jp"/> <allow-access-from domain="*.amazon.co.jp"/> <allow-access-from domain="*.amazon.uk"/> <allow-access-from domain="*.amazon.co.uk"/> </cross-domain-policy> So, it seems that it's a simple accept-list on the target server. Is the current Access Control notably different or more secure? [1] http://www.adobe.com/devnet/flashplayer/articles/flash_player_8_security.pdf [2] http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd [3] http://www.amazon.com/crossdomain.xml Regards- -Doug Research and Standards Engineer 6th Sense Analytics www.6thsenseanalytics.com mobile: 919.932.9872
Received on Friday, 22 September 2006 12:36:40 UTC