« AJAXIUM, Universal AJAX container for all ASP.NET pages and controls | Main | New Visual jQuery Magazine »

The Dangers of Cross-Domain Ajax with Flash

Chris Shiflett, one of the very known PHP security experts, have a post about The Dangers of Cross-Domain Ajax with Flash as a continuation of the previous discussion on Cross-Domain AJAX insecurities. The issue for Cross-Domain Ajax with Flash remain in the crossdomain.xml, an explicit opt-in from the server required to enable cross-site requests in Flash. That file needs to identify which foreign domains are allowed to do cross-site requests, as you can see in the googling result that most of websites enable * to allow requests from all domains. The conclusion of Chris is really very helpful to resolve the problem :

If you have a public API and want to allow cross-domain Ajax requests with Flash, be sure to use a separate domain. If the user interface and API operate in the same domain, there's almost no limit to what an attacker can do.

Read more on Chris Blog, see also post by Julien Couvreur on the same topic.

Posted by Hatem on September 26, 2006 11:29 AM to AJAX Security |

Bookmark this article at these sites
Post a comment





(Email will remain hidden)





Please enter the security code you see here




Related entries
Email to a friend
Email this article to:


Your email address:


Message (optional):