[Treebase-devel] crossdomain.xml

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi all,

Rutger posted a help desk request last week to open up the treebase site to allow Flash based apps access to treebase.  I'm not against installing a crossdomain.xml file, but I think it needs to be done with some caution. It is strongly recommended NOT to use the least restrictive policy as advocated by the original requestor. Therefore is anyone willing to read through the docs and suggest a sane policy?

Here's an excerpt from the documentation:

The following is the most permissive master policy file definition (strongly not recommended). It allows any policy file on the target domain to grant permissions, allows access to any of its file, and permits any header to be sent to the server, all of this possible even through HTTPS despite the source being HTTP:

Example 1.3: cross-domain-policy: Least restrictive policy
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> <allow-access-from domain="*" secure="false"/> <allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>

The full document is located here: http://learn.adobe.com/wiki/download/attachments/64389123/CrossDomain_PolicyFile_Specification.pdf?version=1

The sourceforge request is here: https://sourceforge.net/tracker/?func=detail&aid=2977283&group_id=248804&atid=1126676

Thanks,
Jon