« Granite Data Services 1.0.0 RC1 | Main | Better PHP code: some improvements, resources and tips »

Flash and cross-domain AJAX security

Ajax applications using the standard XMLHttpRequest object can only make requests to the same domain where they are located. This is due to the same-domain security policy of the JavaScript sandbox and it is useful to avoid dangerous cross-site scripting vulnerabilities. This restriction can be easily circumvented using some solutions: the most commonly used one is to install or create a proxy on your web server. Instead of making your Ajax calls to an other domain you make calls to your proxy, that passes the call to the external domain and in return passes the data back to your client application. The connection is made to your server so there's no security concern.
An other powerful solution, but less commonly used, is to exploit the cross-domain communication capabilities that Flash can offer. Like JavaScript, Flash only allows requests to the same domain by default, but it also allows requests to third party domains that explicitly allow it using a crossdomain.xml file.
There are a couple of utilities that you can use to make XMLHttpRequest-like requests using this Flash capabilities, such as Julien Couvreur's FlashXMLHttpRequest and Jimbojw.com SWFHttpRequest Flash/Ajax Utility.
The crossdomain.xml file is a simple XML policy file that gives the Flash Player permission to access data from a given domain without displaying a security dialog. When placed on a server, it tells the Flash Player to allow direct access to data on that server, without prompting the user grant access. Cross-domain policy files are placed at the root level of a server. When using a policy file you can use a wildcard character (*) in a domain name.
If you have two domains, myFirstDomain.com and mySecondDomain.com, and you want your Ajax application on the first domain to call an API service on your second domain, you have to simply create a crossdomain file and put it at http://mySecondDomain.com/crossdomain.xml . This xml file will look like this:


<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.myFirstDomain.com" />
</cross-domain-policy>

But if you have a public service and you want to allow cross-domain Ajax requests initiated from anywhere, you have to write into your cross-domain file <allow-access-from domain="*" /> such as many big API service provider over the internet (Yahoo, Flickr, Amazon, etc.). This could make your web site vulnerable to attacks "Cross-Site Request Forgeries" (CSRF) as discussed in this Chris Shiflett blog entry.

Chris Shiflett also suggests:
"If you have a public API and want to allow cross-domain Ajax requests with Flash, be sure to use a separate domain. If the user interface and API operate in the same domain, there's almost no limit to what an attacker can do."

Tags:

Posted by Francesco Rapanà on January 13, 2008 7:57 PM |

TrackBack

TrackBack URL for this entry:
http://blog.comtaste.com/mt-tb.cgi/41

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on January 13, 2008 7:57 PM.

The previous post in this blog was Granite Data Services 1.0.0 RC1.

The next post in this blog is Better PHP code: some improvements, resources and tips .

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.33