Flex and crossdomain.xml - apache-flex

I was wondering are there any security concerns with adding crossdomain.xml to the root of an application server? Can it be added to any other parts of the server and are you aware of any work arounds that dont require the server to have this file in place?
Thanks
Damien

By adding the crossdomain.xml, the main security concern is that flash applications can now connect to your server. So if someone logs into your site, and then browses over to another website with a malicious flash app, that flash app can connect back to your site. Since it's in a browser, cookies are shared to the flash app. This allows the flash app to hijack the user's session to do whatever it is your website does without the user knowing about it.
If your flex app is served from the same server, you don't need a crossdomain.xml
You can put it in a sub directory of your site and use System.security.loadSecurityPolicy()
http://livedocs.adobe.com/flex/2/langref/flash/system/Security.html
Applications would then be limited to that tree of your directory structure.

There are no workaround for the crossdomain file, it is required to support the crossdomain data access or crossdomain scripting. In the event of any cross-domain request, Flash will look for the crossdomain.xml file at the root of the domain. For example, if you are requesting an XML file from:
http://mysubdomain.mydomain.com/fu/bar/
Flash will check if a crossdomain.xml file exist at:
http://mysubdomin.mydomain.com/crossdomain.xml
You can place the crossdomain.xml file in other location. However, when you ever need to load a crossdomain.xml file from a different location, you have to do it via Security.loadPolicyFile . Bear in mind that the location of this crossdomain have any impact on the security access you have. Flash will only grant access to the folder that contains the crossdomain and its child folders.
You may also want to read up on the security changes in Flash Player 10.

You may configure a virtual host for your application. This way the file crossdomain.xml can be at the root of your application but not necessarily at the root of the server.

Yes. Be very careful with crossdomain policy files:
http://www.jamesward.com/2009/11/08/how-bad-crossdomain-policies-expose-protected-data-to-malicious-applications/
My two general rules of thumb are:
Do not put a crossdomain policy file on a server that uses cookies
Do not put a crossdomain policy file on an internal server

crossdomain.xml is just a file that has meaning to the Flash runtime; you can restrict what HTTP requests get to see it. You can use web server (e.g. Apache) configuration control to allow read access to it (and only it) from the "root" directory (see previous answers).
You might filter by other headers in the request, etc.
Cheers

Related

Is crossdomain.xml file a mandatory for flex applications to access server?

In my flex application, the war is packaged with crossdomain.xml policy file.
<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
</cross-domain-policy>
The entries mentioned here means the SWF file from any/all domain can access the server data.
My question here is
the crossdomain.xml necessarily need to be there for accessing the server ?
What happens if we don't have a crossdomain.xml policy file while the SWF file is accessing the server for data ?
Is there any default restrictions the server may have to access its data if we don't place a crossdomain.xml ?
Kindly, Please help me with your answers.
Is the crossdomain.xml necessarily need to be there for accessing the
server ?
No. It is required for a browser based SWF that is located on a different domain from the server. But, a SWF served from the same domain does not need a crossdomain.xml place. A Flash Platform App deployed outside of the browser, as an AIR app or mobile application will not need a crossdomain file to access the server.
What happens if we don't have a crossdomain.xml policy file while the
SWF file is accessing the server for data ?
If the SWF is served off the same domain as the server; then nothing will happen. If the SWF is on a different domain, then your remote class will dispatch a fault event; which will contain a security error of sorts.
Is there any default restrictions the server may have to access its
data if we don't place a crossdomain.xml ?
Yes, but nothing I haven't already said. A SWF served off the same domain as the server can access files/services on that domain. A SWF served off a different domain cannot.
As an example a SWF located at http://mydomain.com/mySWF.swf will be able to access http://mydomain.com/service/MyServiceEndPoint or http://mydomain.com/someImage.gif without any issues. It will not be able to access http://myOtherDomain.com/service/MyServiceEndPoint or http://myOtherDomain.com/someImage.gif.

how to prevent download any files (specially swf) from IIS server

i have a asp.net website
i have some files swf files that i want to prevent downloading them
is there a solution that the IIS can have a passord for downloading the file swf file and i can provide this password in some situations on the server that i can pass this password in the code
so that the swf file can be viewed from my page only as provide the password
but no one can download it using download managers
or any other http request that request this swf file
Don't put the swf file under your web root. Put it somewhere else like C:\Inetpub\assets. Then use a .NET page or handler to provide the file upon request.
http://yoursite.com?GetAsset.ashx?filename=whatever.swf
Then the request will be part of the same session as the rest of your application and you can validate that the user is really allowed to download the swf.
You can configure IIS Authorization, to allow only authenticated user to access your resouces:
http://learn.iis.net/page.aspx/142/understanding-iis-70-url-authorization/
can you create ftp accounts on your server ? if yes , create a folder only accessible with the credentials you set then put the swf files in it ( i guess you are using a distant IIS server ).
Your hosting service may provide an admin interface were you can set some ftp accounts.
The user will have to access your files with a ftp client application.
there is something named Mine Types. If you add a Mime Type and set an extension like .swf to that you allow client to download and see all .swf files of the server. just go to Mime types tool of IIS and remove ones that you want to prevent downloading.

How to configure web.config to support file handler

I created a file browser control which open files on client machine itself, so I don't need to bother about file path
from my application I am not able to redirect page to
file:///C:/Program%20Files/Application/readme.txt
it works for
http://
how can I configure my application to support file handler.
Thanx
If you are trying to redirect to a local file. This is not possible without knowing quite a lot of information on the client machine - for example how do you know the directory structure of the client computer?
Response.Redirect tells the client (browser) where to redirect to. A file URL will be one that is on the client machine - you would need to know in advance that the file is there, that the user has permissions to view it etc...
Are you asking how to send a file from the server?
You can do this via Response.WriteFile.

non asp.net resources authetication and authorization in iis6

I'm creating a website which besides other tasks will play some recorded files. these recorded files are on a remote server with private ip address, so I've created a virtual directory which points to a share directory on the mentioned server.
now I'm able to playback the files using client side controls like wmplayer. BUT the problem is sound file urls are accessible without any authentication and authorization.
is there anyway to enforce .net authorization and authentication (in web.config) on this virtual directory? I also should mention I can not use solutions like httphandlers to download the files because file are streamed using iis so user could navigate on the file without downloading all of it)
thanx
Open IIS (I suppose you use IIS7.0 or later). Find the mentioned virtual directory and click on it. In the listed features find Authentication, right click on it and press Open Feature. Then disable anonymous authentication for this folder. Does the problem persist?

Protect folder from external requests

Im working with asp.net 2.0, and i have a folder into my application path ~/Data/ with some .mdb files.
I would like to protect this folder from external request like http://www.whatever.com/Data/whatever.mdb
But i would need to give any permission to my application, cause im using OleDBConnections agains the ~/Data/ Path.
What could be the best way to protect this folder?
Kind Regards.
Josema.
In IIS manager and remove at least anonymous access if not all access. Your application code can continue to use its contents but HTTP requests can not access it.
If possible in your situation, another option would be to place the mdb files outside of the website. For example, something like this directory structure:
/ MyProject
/ Data
- whatever.mdb
/ www
- Default.aspx
where www is the actual root of your website. That way, users will never be able to access the mdb files from the browser, while you can still use OleDBConnections against the mdb files. To my knowledge this is pretty secure, and this way you can't accidentily forget to disallow access in IIS.
Did you check if it actually is a problem?
I'm using ASP.NET 3.5 here but the default App_Data folder is shielded for downloading. Maybe you should just follow the guidelines and verify.
As for the other answers about moving Data outside your Web folder, that usually won't work when you use a hosting provider.

Resources