- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 11 Feb 2009 10:26:38 -0800
- To: Eran Hammer-Lahav <eran@hueniverse.com>
- Cc: "www-talk@w3.org" <www-talk@w3.org>, Mark Nottingham <mnot@mnot.net>
On Wed, Feb 11, 2009 at 10:14 AM, Adam Barth <w3c@adambarth.com> wrote: > Adobe found the security case compelling enough to break backwards > compatibility in their crossdomain.xml policy file system to enforce > this requirement. Most serious Web sites opt-in to requiring an > explicit Content-Type. By the way, here's the chart of the various security protections Adobe added to crossdomain.xml and which version they first appeared in: http://www.adobe.com/devnet/flashplayer/articles/fplayer9-10_security.html There is another one I forgot: You need to restrict the scope of a host-meta file to a specific IP address. For example, if suppose you retrieve http://example.com/host-meta from 123.123.123.123. Now, you shouldn't apply the information you get from that host-meta file to content retrieved from 34.34.34.34. You need to fetch another host-meta file from that IP address. If you don't do that, the host-meta file will be vulnerable to DNS Rebinding. For an explanation of how this caused problems for crossdomain.xml, see: http://www.adambarth.com/papers/2007/jackson-barth-bortz-shao-boneh.pdf Sadly, this makes life much more complicated for implementers. (Maybe now you begin to see why this draft scares me.) Adam
Received on Wednesday, 11 February 2009 18:27:19 UTC