I've been a bit lost. I have the following situation:
Flash Player file is on https://sub.example.com/player.swf
crossdomain.xml
is on https://sub2.example.com/crossdomain.xml
Streaming is done using Wowza.
The crossdomain.xml
right now is everything but tight:
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>
I've tried to figure this out myself and have read the following posts about this:
- http://sethsec.blogspot.ch/2014/03/exploiting-misconfigured-crossdomainxml.html
- https://stackoverflow.com/questions/1215127/how-do-i-specify-a-crossdomain-policy-file-to-allow-flash-to-grab-a-bitmap-from (especially answer two)
- https://forums.adobe.com/thread/422391
- https://www.wowza.com/forums/showthread.php?45081-The-function-of-crossdomain-xml
- https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
Still my question remains and is:
How should the crossdomain.xml look like in this case to protect properly and why? There are no reasons other players should access the stream besides player.swf
on the different subdomain.