Menu
▾
▴
Re: [Treebase-devel] crossdomain.xml
|
From: Jon A. <jon...@ne...> - 2010-09-23 12:16:15
|
I therefore recommend we NOT institute a crossdomain.xml for treebase.org. It would not be difficult for a user to get access to embargoed data, and treebase could lose its credibility if that happened. It also may be possible for a hacker to redirect treebase users to a malicious web application. The following post states that cookie based authentication is particularly vulnerable: http://www.jamesward.com/2009/11/08/how-bad-crossdomain-policies-expose-protected-data-to-malicious-applications/ If all I agree, I recommend we close the following issue in tracker with security concerns as the reason: https://sourceforge.net/tracker/?func=detail&aid=2977283&group_id=248804&atid=1126676 thanks, -Jon On Sep 23, 2010, at 7:14 AM, Rutger Vos wrote: > There is data that is under embargo and should only be accessible by > the submitter(s) and reviewer(s). Session is maintained using cookies. > > On Wed, Sep 22, 2010 at 9:57 PM, Jon Auman <jon...@ne...> wrote: >> I looked some more into the crossdomain.xml file that allows Adobe Flash >> applications to access phylows data. The security implication is that all >> data on the treebase server could become public. Is that OK? Is there any >> data that should not become public? >> Also, does treebase application use cookies for session maintenance or web >> service tokens or some other means for authentication? >> Thanks, >> Jon >> ------------------------------------------------------- >> Jon Auman >> Systems Administrator >> National Evolutionary Synthesis Center >> Duke University >> http:www.nescent.org >> jon...@ne... >> ------------------------------------------------------ >> >> >> >> ------------------------------------------------------------------------------ >> Start uncovering the many advantages of virtual appliances >> and start using them to simplify application deployment and >> accelerate your shift to cloud computing. >> http://p.sf.net/sfu/novell-sfdev2dev >> _______________________________________________ >> Treebase-devel mailing list >> Tre...@li... >> https://lists.sourceforge.net/lists/listinfo/treebase-devel >> >> > > > > -- > Dr. Rutger A. Vos > School of Biological Sciences > Philip Lyle Building, Level 4 > University of Reading > Reading > RG6 6BX > United Kingdom > Tel: +44 (0) 118 378 7535 > http://www.nexml.org > http://rutgervos.blogspot.com > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > _______________________________________________ > Treebase-devel mailing list > Tre...@li... > https://lists.sourceforge.net/lists/listinfo/treebase-devel ------------------------------------------------------- Jon Auman Systems Administrator National Evolutionary Synthesis Center Duke University http:www.nescent.org jon...@ne... ------------------------------------------------------ |
