Flex和crossdomain.xml [英] Flex and crossdomain.xml

问题描述

我想知道将crossdomain.xml添加到应用程序服务器的根目录是否存在任何安全问题？它可以被添加到服务器的任何其他部分，你知道任何解决方法，不需要服务器有这个文件？

感谢$ b $通过添加crossdomain.xml，主要的安全问题是Flash应用程序现在可以连接到您的服务器。所以，如果有人登录到您的网站，然后浏览到另一个网站的恶意Flash应用程序，该Flash应用程序可以连接回您的网站。由于它在浏览器中，因此cookies被分享到Flash应用程序。这允许Flash应用程序劫持用户的会话，以执行您的网站所做的任何事情，而无需用户知道。

如果您的flex应用程序是从同一台服务器，你不需要一个crossdomain.xml

你可以把它放在你站点的子目录中，并使用System.security.loadSecurityPolicy（） b
$ b

http：// livedocs .adobe.com / flex / 2 / langref / flash / system / Security.html

然后，应用程序将被限制在您的目录结构树中。

I was wondering are there any security concerns with adding crossdomain.xml to the root of an application server? Can it be added to any other parts of the server and are you aware of any work arounds that dont require the server to have this file in place?

Thanks Damien

解决方案

By adding the crossdomain.xml, the main security concern is that flash applications can now connect to your server. So if someone logs into your site, and then browses over to another website with a malicious flash app, that flash app can connect back to your site. Since it's in a browser, cookies are shared to the flash app. This allows the flash app to hijack the user's session to do whatever it is your website does without the user knowing about it.

If your flex app is served from the same server, you don't need a crossdomain.xml

You can put it in a sub directory of your site and use System.security.loadSecurityPolicy()

http://livedocs.adobe.com/flex/2/langref/flash/system/Security.html

Applications would then be limited to that tree of your directory structure.

这篇关于Flex和crossdomain.xml的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！