Flex 和 crossdomain.xml [英] Flex and crossdomain.xml

问题描述

我想知道将 crossdomain.xml 添加到应用程序服务器的根目录是否存在任何安全问题?是否可以将它添加到服务器的任何其他部分，您是否知道不需要服务器放置此文件的任何变通方法?

I was wondering are there any security concerns with adding crossdomain.xml to the root of an application server? Can it be added to any other parts of the server and are you aware of any work arounds that dont require the server to have this file in place?

谢谢达米安

推荐答案

通过添加 crossdomain.xml，主要的安全问题是 Flash 应用程序现在可以连接到您的服务器.因此，如果有人登录您的站点，然后使用恶意 Flash 应用程序浏览到另一个网站，该 Flash 应用程序可以连接回您的站点.由于它位于浏览器中，因此 cookie 会共享给 Flash 应用程序.这允许 Flash 应用劫持用户的会话，以在用户不知情的情况下执行您的网站所做的任何事情.

By adding the crossdomain.xml, the main security concern is that flash applications can now connect to your server. So if someone logs into your site, and then browses over to another website with a malicious flash app, that flash app can connect back to your site. Since it's in a browser, cookies are shared to the flash app. This allows the flash app to hijack the user's session to do whatever it is your website does without the user knowing about it.

如果您的 flex 应用是从同一台服务器提供的，则您不需要 crossdomain.xml

If your flex app is served from the same server, you don't need a crossdomain.xml

您可以将其放在您站点的子目录中并使用 System.security.loadSecurityPolicy()

You can put it in a sub directory of your site and use System.security.loadSecurityPolicy()

http://livedocs.adobe.com/flex/2/langref/flash/system/Security.html

应用程序将被限制在您的目录结构树中.

Applications would then be limited to that tree of your directory structure.

这篇关于Flex 和 crossdomain.xml的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！