Pete Freitag Pete Freitag

The Dangers of Flash's crossdomain.xml

Published on November 02, 2006
By Pete Freitag

PHP security guru Chris Shiflett has a great post about the dangers of Cross Domain Flash. If you have implemented a crossdomain.xml file you will want to read his post.

If you have a crossdomain.xml file on your domain, and you allow access from ALL domains, then you are essentially opening that domain up to Cross Site Request Forgery attacks.

Chris found that flickr had a crossdomain.xml file setup to allow flash applications to be built using the Flickr API. The problem is that you can write a flash application that would allow almost any action a logged in flickr user could perform.

Flickr has fixed the problem by moving the API endpoint, and crossdomain.xml to, instead of running under something like Now a flash application can't make calls to from another domain.

The moral of the story is to make sure that your API runs on a different domain from your public web site if you are going to implement a crossdomain.xml file.

flickr xsrf csrf security flash crossdomain

The Dangers of Flash's crossdomain.xml was first published on November 02, 2006.

If you like reading about flickr, xsrf, csrf, security, flash, or crossdomain then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).