Why crossdomain.xml is a good thing

Thursday 28 July 2005  –  Filed under: Flash  –  4 Comments

I regularly encounter Flash users as well as clients that wonder why the Flash player implements a cross-domain sandbox security model using policy files named crossdomain.xml. I drew 6 simple diagrams that demonstrate its use.

As you can see in the slides below, a malicious user could steal data from your LAN. This is made possible by the fact that every SWF file you view runs locally on your machine. This means that a SWF would have HTTP access to all machines behind the company firewall. Not a good thing.

To prevent this, every server other than the one the SWF is loaded from, needs to have a crossdomain.xml file available, listing all domains that have access to that particular server. If the crossdomain.xml file is either absent or does not list the domain the SWF originates from, the SWF won’t have access to that server.

The crossdomain.xml file prevents SWFS from snooping around on the LAN. And it not only works for servers within your LAN, but also for other servers on the Internet.

Please note that, at best, I’ve only scratched the surface of the whole policy file system. For more information, refer to this helpful page at the Adobe website.

4 Responses

  1. What is this cross-domain.xml file anyway? « Sudha Hariharan says:

    [...] http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14213&sliceId=1 http://www.martijndevisser.com/blog/2005/why-crossdomainxml-is-a-good-thing/ [...]

  2. FLEX{er} » Blog Archive » Cross domain policy says:

    [...] Resources: Using cross-domain policy files Overview of permission controls Cross-domain policy file usage recommendations for Flash Player Allowing cross-domain data loading About compatibility with previous Flash Player security models cross domain policy files (moock.org) Why crossdomain.xml is a good thing [...]

  3. gruchalski.com » Archive » Why crossdomain.xml is even more than a good thing says:

    [...] I finally figured it out. At least one of two reasons. About 4 years ago Martijn de Visser described one of them – defending your internal network from the attacks. But there is another way reason why [...]

  4. Pradip Jadhav says:

    Hello,

    I am having error of cross domain policy. I am working on PHP FlEX project. Due to some reason i want to call one JSP file through HTTPservice. JSP file returns string value value true or false.

    But while running the application it gives me channel’s security error. I include cross domain policy file. But It is giving the same error.

    Will you please help me to solve this problem.

    Thanx in advance

    Regards,
    Pradip Jadhav

Leave a Reply