CrossDomain.xml And ClientAccessPolicy.xml - Extremely Permissive

Posted at



crossdomain.xml
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" to-ports="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>







<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>







Mostly used for
■ Flash
■ Flex
■ (and) Silverlight
■ there are some rare JavaScript bridges that uses those files too... (mostly for crossdomain-XHR)..

☠☢☣⚠⚡...⚾... (whaaa? why ⚾?? ohhh... nevermind..)
no warning or other lame excuse, this is what no-one wants you to use,


⓵ it is actually not really needed to the encoding,
but you may specify encoding="utf-8" or encoding="ISO-8859-1"


⓶ Alternative policy file-schemas
Generic DTD http://www.adobe.com/xml/dtds/cross-domain-policy.dtd
Generic XSD http://www.adobe.com/xml/schemas/PolicyFile.xsd
HTTP XSD http://www.adobe.com/xml/schemas/PolicyFileHttp.xsd
HTTPS XSD http://www.adobe.com/xml/schemas/PolicyFileHttps.xsd
FTP XSD http://www.adobe.com/xml/schemas/PolicyFileFtp.xsd
Socket XSD http://www.adobe.com/xml/schemas/PolicyFileSocket.xsd


⓷ Ideally, all URL policy files should be served (using .htaccess is perfectly fine!) with: Content-Type: text/x-cross-domain-policy.
(although is is ok to serve it as either one of those: text/*,application/xml or application/xhtml+xml