Published on 2006-09-26 11:29:32

Chris Shiflett, one of the very known PHP security experts, have a post about The Dangers of Cross-Domain Ajax with Flash as a continuation of the previous discussion on Cross-Domain AJAX insecurities. The issue for Cross-Domain Ajax with Flash remain in the crossdomain.xml, an explicit opt-in from the server required to enable cross-site requests in Flash. That file needs to identify which foreign domains are allowed to do cross-site requests, as you can see in the googling result that most of websites enable * to allow requests from all domains. The conclusion of Chris is really very helpful to resolve the problem :

If you have a public API and want to allow cross-domain Ajax requests with Flash, be sure to use a separate domain. If the user interface and API operate in the same domain, there's almost no limit to what an attacker can do.

• AJAX.org Goes Live and Open Source Javeline
• AJAX dictionary
• TradeMe new AJAX Watchlist
• Ajax Design Patterns Book announced

• Employment San Diego Search Result
• [Contact us]

Member of the PHP Magazine Network, Copyright (C) 2005-2008 phpmagazine.net All Rights Reserved