Cross-domain policy file usage recommendations for Flash Player. One of the best explanations of the security implications of crossdomain.xml files I’ve seen. If you host a crossdomain.xml file with allow-access-from domain=“*” and don’t understand all of the points described here, you probably have a nasty security vulnerability.
Sign in with 
OpenID
If you have allow-access-from domain="*" in the master policy file (the crossdomain.xml at the root of the domain) then yes, any Flash application from anywhere can access your domain data. Sometimes this is necessary though, if for example you want to allow 3rd party Flash applications to load videos from your domain. However allow-access-from domain="*" can also be used in a policy file for a specific folder, without exposing the whole domain e.g. mydomain.com/flashvideos/crossdomain.xml. Allowing multiple policy files on a domain though does have it's own security implications.
It's worth checking out Adobe's Cross-domain policy file specification and Policy file changes in Flash Player 9 and Flash Player 10. Adobe even say there that for security "meta-policies are useful even for servers that do not expect to serve any Flash Player compatible content."
Tom Cole - 5th November 2009 19:16 - #
I still think these are terrible documents for describing quite an obscure and complicated security policy model.
I recently found myself drawing a diagram to explain this to someone, and couldn't understand why there wasn't one online already. I'll try to polish it up, make it generic and write something up soon. This is a topic that deserves more than just pages of waffle.
James Wheare - 7th November 2009 06:57 - #