Secure crossdomain for rtmp/flash streaming/wowza

Question

I've been a bit lost. I have the following situation:

Flash Player file is on https://sub.example.com/player.swf

crossdomain.xml is on https://sub2.example.com/crossdomain.xml

Streaming is done using Wowza.

The crossdomain.xml right now is everything but tight:

<cross-domain-policy>
  <allow-access-from domain="*" secure="false"/>
  <site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>

I've tried to figure this out myself and have read the following posts about this:

• http://sethsec.blogspot.ch/2014/03/exploiting-misconfigured-crossdomainxml.html
• https://stackoverflow.com/questions/1215127/how-do-i-specify-a-crossdomain-policy-file-to-allow-flash-to-grab-a-bitmap-from (especially answer two)
• https://forums.adobe.com/thread/422391
• https://www.wowza.com/forums/showthread.php?45081-The-function-of-crossdomain-xml
• https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html

Still my question remains and is: How should the crossdomain.xml look like in this case to protect properly and why? There are no reasons other players should access the stream besides player.swf on the different subdomain.

Answer 1

A properly locked down policy would look like this in your situation:

<cross-domain-policy>
  <allow-access-from domain="sub.example.com" secure="true"/>
  <site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>

Allowing * wildcard for all domains means that user sessions on sub2.example.com could be compromised by a malicious Flash app on another domain that the users visits.