Once upon a time the internet was quite a simple little place where every interaction required synchronous transaction between the client and the server.
You entered some information in to a form, pressed a button and the page was sent to a server somewhere for processing. The results were returned to you when the page reloaded.
Life was simple: Post - get response - reload page and move forward on your merry way.
Then JJG decided to blow the whole model apart by creating a cool name for XMLRPC (AJAX).This very simple act changed the 'transactional' nature of the web. It was no longer cool to wait for a the whole page to refresh; people expected portions of web page to load asynchronously.
This new world of website has created a bit of a headache for the security bods because accompanying this new transaction model was a 'hailstorm' of new web services; little code islands a developer can contact to get information on everything from book reviews to weather forecasts to bank statements.
The thing that troubled the security bods now was how to ensure the credentials of the web sites connecting to a web service.
The answer was to enforce a sand box in the browser to prevent websites outside of the domain to connect to the web service. Very cool, except most web developers want to use web services from Amazon etc.
One easy way to get round this was to use Flash as a conduit for the AJAX request. However, Adobe have been very busy updating the Flash Plugin to enforce a tighter security model. This process started by requiring the presences of a crossdomain.xml file on the web service root.
At first, all you were required to do was include the following lines of code:
<cross-domain-policy>
<allow-access-from domain="*" secure="true|false">
</cross-domain-policy>
So, OK, you can provide a domain name or IP address in the domain attribute to only allow access from a specific domain, for closed access.
With the introduction of Flash Player 9, Adobe have started to tighten the security model. Now you are required to specify accepted request headers:
<cross-domain-policy>
<allow-access-from domain="*" secure="true|false" />
<allow-http-request-headers-from domain="*" headers="*" secure="true|false" />
</cross-domain-policy>
And with the launch of Flash Player 10 the security is going to be even tighter. The culmination of all these changes is that a lot of Flash applications have the potential to stop working if the crossdomain.xml file hasn't been updated in line with the changes to Flash's security model.
Leave a comment