Adobe Flash Cross-Domain Access from Doug Schepers on 2006-09-22 (public-webapi@w3.org from September 2006)

From: Doug Schepers <doug.schepers@vectoreal.com>
Date: Fri, 22 Sep 2006 12:36:21 +0000
To: Web API public <public-webapi@w3.org>
Message-ID: <4513D8C5.1030502@vectoreal.com>
Hi, folks-

I'm following up on the action to research how Adobe Flash handles 
cross-domain access.

This is done by the use of an XML file on the target server, 
"crossdomain.xml".

The security model is described in a PDF whitepaper [1]:
"The Cross Domain Policy File mechanism is a simple XML file 
(crossdomain.xml) that does the following:
* Modifies the read permission for data between sandboxes and across the 
network. It does not apply to cross-scripting of SWF files.
* Is specified with a text file (served as a policy file from the site 
to be accessed as an ordinary web page), and is consulted by Flash 
Player, which then enforces the rules, rather than requiring (or 
allowing) a SWF file to declare or interpret the permissions.
* Applies only to the protocol and port of the server, rather than 
opening up an entire domain, with one exception: HTTP servers can 
provide the policy files that govern XML socket connections.

The Cross Domain Policy File is located in the root directory of the 
target server by default (for example, at 
www.applicablesite.com/crossdomain.xml), or Flash application developers 
can specify another location by calling the ActionScript 
System.security.loadPolicyFile() API."

The DTD is available on the macromedia site [2], and is quite short:

cross-domain-policy.dtd
===========================
<?xml version="1.0" encoding="ISO-8859-1"?>
<!-- Macromedia DTD for cross-domain policy files -->

<!ELEMENT cross-domain-policy (allow-access-from*)>
<!ELEMENT allow-access-from EMPTY>
<!ATTLIST allow-access-from domain CDATA #REQUIRED>
<!ATTLIST allow-access-from secure (true|false) "true">

<!-- End of file. -->
===========================

A simple example might look like this:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM 
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*" />
</cross-domain-policy>

Amazon's policy [3] is a little more verbose:
<cross-domain-policy>
<allow-access-from domain="*.amazon.com"/>
<allow-access-from domain="amazon.com"/>
<allow-access-from domain="www.amazon.com"/>
<allow-access-from domain="pre-prod.amazon.com"/>
<allow-access-from domain="devo.amazon.com"/>
<allow-access-from domain="images.amazon.com"/>
<allow-access-from domain="anon.amazon.speedera.net"/>
<allow-access-from domain="*.amazon.ca"/>
<allow-access-from domain="*.amazon.de"/>
<allow-access-from domain="*.amazon.fr"/>
<allow-access-from domain="*.amazon.jp"/>
<allow-access-from domain="*.amazon.co.jp"/>
<allow-access-from domain="*.amazon.uk"/>
<allow-access-from domain="*.amazon.co.uk"/>
</cross-domain-policy>

So, it seems that it's a simple accept-list on the target server.  Is 
the current Access Control notably different or more secure?

[1] 
http://www.adobe.com/devnet/flashplayer/articles/flash_player_8_security.pdf
[2] http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd
[3] http://www.amazon.com/crossdomain.xml

Regards-
-Doug

Research and Standards Engineer
6th Sense Analytics
www.6thsenseanalytics.com
mobile: 919.932.9872
Received on Friday, 22 September 2006 12:36:40 UTC